Waters Empower 2 Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance



Similar documents
Waters Empower Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

THE ROLE OF WATERS NUGENESIS SDMS IN 21 CFR PART 11 COMPLIANCE

Full Compliance Contents

The Impact of 21 CFR Part 11 on Product Development

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

Electronic records and electronic signatures in the regulated environment of the pharmaceutical and medical device industries

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Compliance Matrix for 21 CFR Part 11: Electronic Records

How To Control A Record System

InfinityQS SPC Quality System & FDA s 21 CFR Part 11 Requirements

Self-Assessment of eresearch Compliance with 21 CFR Part 11, Electronic Record; Electronic Signatures

Implementation of 21CFR11 Features in Micromeritics Software Software ID

21 CFR Part 11 Implementation Spectrum ES

Empower TM 2 Software

Oracle WebCenter Content

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE FDA 21 CFR 11 ALPHATRUST PRONTO ENTERPRISE PLATFORM

FDA 21 CFR Part 11 Electronic records and signatures solutions for the Life Sciences Industry

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

Enabling SharePoint for 21 CFR Part 11 Compliance - Electronic Signature Use Case

FDA Title 21 CFR Part 11:Electronic Records; Electronic Signatures; Final Rule (1997)

21 CFR Part 11 White Paper

21 CFR Part 11 Compliance Using STATISTICA

A ChemoMetec A/S White Paper September 2013

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

AutoSave. Achieving Part 11 Compliance. A White Paper

SolidWorks Enterprise PDM and FDA 21CFR Part 11

rsdm and 21 CFR Part 11

21 CFR Part 11 Checklist

DeltaV Capabilities for Electronic Records Management

Intland s Medical Template

21 CFR Part 11 Electronic Records & Signatures

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

Assessment of Vaisala Veriteq vlog Validation System Compliance to 21 CFR Part 11 Requirements

Compliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION

DeltaV Capabilities for Electronic Records Management

Software Manual Part IV: FDA 21 CFR part 11. Version 2.20

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

ScreenMaster RVG200 Paperless recorder FDA-approved record keeping. Measurement made easy

Implementing CitectSCADA to meet the requirements of FDA 21 CFR Part 11

[NUGENESIS SAMPLE MANAGEMENT ] AMPLE IMPROVING LAB EFFICIENCY, ANAGEMENT ACCELERATING BUSINESS DECISIONS. bigstock.com $69

For technical assistance, please contact: Thermo Nicolet Corporation 5225 Verona Road Madison WI

Using the Thermo Scientific Dionex Chromeleon 7 Chromatography Data System (CDS) to Comply with 21 CFR Part 11. Compliance Guide

Spectroscopy Configuration Manager (SCM) Software. 21 CFR Part 11 Compliance Booklet

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

21 CFR Part 11 Deployment Guide for Wonderware System Platform 3.1, InTouch 10.1 and Historian 9.0

TIBCO Spotfire and S+ Product Family

Compliance in the BioPharma Industry. White Paper v1.0

Compliance Response SIMATIC SIMATIC PCS 7 V8.1. Electronic Records / Electronic Signatures (ERES) Edition 03/2015. Answers for industry.

Software. For the 21 CFR Part 11 Environment. The Science and Technology of Small Particles

Thermal Analysis. Subpart A General Provisions 11.1 Scope Implementation Definitions.

[ EMPOWER 3 SOFTWARE ] MORE CAPABILITIES FOR YOUR LAB, MORE VALUE FOR YOUR ENTERPRISE

Using Chromeleon Chromatography Management Software to Comply with 21 CFR Part 11

INTRODUCTION. This book offers a systematic, ten-step approach, from the decision to validate to

Electronic Document and Record Compliance for the Life Sciences

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Considerations for validating SDS Software v2.x Enterprise Edition for the 7900HT Fast Real-Time PCR System per the GAMP 5 guide

LabChip GX/GXII with LabChip GxP Software

Guidance for Industry. 21 CFR Part 11; Electronic Records; Electronic Signatures. Maintenance of Electronic Records

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

Quantum View Manage Administration Guide

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS

Auditing Chromatographic Electronic Data. Jennifer Bravo, M.S. QA Manager Agilux Laboratories

REGULATIONS COMPLIANCE ASSESSMENT

Guidance for Industry. 21 CFR Part 11; Electronic Records; Electronic Signatures. Electronic Copies of Electronic Records

Sympatec GmbH System-Partikel-Technik WINDOX 4. Electronic Records/ Electronic Signatures Compliance Assessment Worksheet for 21 CFR Part 11

This interpretation of the revised Annex

The biggest challenges of Life Sciences companies today. Comply or Perish: Maintaining 21 CFR Part 11 Compliance

Data Management PACT Workshop: Design & Operation of GMP Cell Therapy Facilities April 10 th -11 th, 2007

Guidance for Industry Computerized Systems Used in Clinical Investigations

Life sciences solutions compliant with FDA 21 CFR Part 11

Achieving 21 CFR Part 11 Compliance with Appian

Review and Approve Results in Empower Data, Meta Data and Audit Trails

OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT

Guidance for Industry. 21 CFR Part 11; Electronic. Records; Electronic Signatures. Time Stamps

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Guidance for electronic trial data capturing of clinical trials

Risk-Based Approach to 21 CFR Part 11

CoSign for 21CFR Part 11 Compliance

Guidance for Industry

Sponsor Site Questionnaire FAQs Regarding Maestro Care

Eclipsys Sunrise Clinical Manager Enterprise Electronic Medical Record (SCM) and Title 21 Code of Federal Regulations Part 11 (21CFR11)

Issues in Information Security and Verifiability for Biomedical Technology Companies

Assuring E Data Integrity and Part 11 Compliance for Empower How to Configure an Empower Enterprise

Considerations for Management of Laboratory Data

Clinical database/ecrf validation: effective processes and procedures

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

GCP INSPECTORS WORKING GROUP <DRAFT> REFLECTION PAPER ON EXPECTATIONS FOR ELECTRONIC SOURCE DOCUMENTS USED IN CLINICAL TRIALS

OpenText Regulated Documents for the Life Sciences Industry:

SIMATIC SIMATIC PCS 7 V8.0. Electronic Records / Electronic Signatures. Compliance Response. Answers for industry.

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

Thermo Scientific ClinQuan MD Software For In Vitro Diagnostic Use. Confidence in Results With Data Integrity

WATERS QUANTITATIVE ANALYSIS solutions

International Compliance

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Why Use Electronic Transactions Instead of Paper? Electronic Signatures, Identity Credentialing, Digital Timestamps and Content Authentication

Transcription:

THE ROLE OF WATERS EMPOWER 2 SOFTWARE IN ASSISTING IN 21 CFR PART 11 COMPLIANCE Waters Empower 2 Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

Summary The objective of this white paper is to discuss the 21 CFR Part 11 compliance utility of Waters Empower 2 Software for the regulated scientific laboratory. Regulated pharmaceutical and biotech arenas are currently striving to meet compliance with 21 CFR Part 11, the U.S. Food and Drug Administration s (FDA) rule governing electronic records and electronic signatures. Meeting Part 11 compliance remains challenging; eventually Part 11 will be viewed as a significant, impelling force to drive companies from a paper-records environment to a more efficient electronic-records environment. Although it s understood that merely purchasing a chromatography data software package that incorporates thorough Part 11 technical controls does not make one fully compliant, complete technical controls should be inherent in any system that is used in a regulated environment. The technical controls for 21 CFR Part 11 compliance are built into Empower 2 Software. 21 CFR Part 11 Background Regulations affecting the creation, maintenance, transmission, storage and modification of electronic records have recently added new focus to the regulated life science industries. 21 CFR Part 11, the FDA rule governing electronic records and electronic signatures, has emerged as among the most defining regulations for the pharmaceutical and biotech industries. The impact is far-reaching, affecting quality assurance, quality control, information technology, manufacturing, lab management and researchers practices. 21 CFR Part 11, currently in force as part of GxP inspections, has transformed the management of electronic data in regulated life science industries. Part 11 has serious overall implications for all aspects of regulated enterprise operations. No one technology or discipline is more or less affected by the rule; it is pervasive throughout an organization. Every system that generates electronic records required by a predicate rule (GxP) must be examined to determine its current ability to comply with Part 11. Potentially, hundreds of systems within a pharmaceutical or biotech company may be affected. This includes analytical instruments (HPLC, UPLC, GC, MS, NMR, GC/MS, etc.), Microsoft Excel and Word documents, and LIMS (Laboratory Information Management Systems). From the lab to the enterprise and beyond, Part 11 impacts good electronic record management significantly. 21 CFR Part 11 has recently gained momentum within FDA field operations as the enforcement of Part 11 has increased. The rule, originally proposed by the pharmaceutical industry to reduce the burden of paper in 1991, became effective in August of 1997. Know Your Data Machine-readable (raw) data and human-readable (report) data generated by analytical instruments (HPLC, UPLC, GC, UV, MS, etc.) and Microsoft Office tools are currently being maintained by a variety of inconsistent methods that make it difficult to either retrieve or re-use this data in an expeditious and uniform manner. Raw data is defined as an electronic record the minute it is saved to durable media. Metadata, or data about data, must also be saved and archived electronically. Since one cannot print to paper every bit of metadata available in electronic form, and since the FDA wants to use the same tools to evaluate the data the operator used, paper printouts are no longer a suitable substitute for electronic data. It is important that you maintain and protect the raw data, the metadata and the report data for each regulated system. Electronic records should not be deleted after they have been printed. Empower 2 Software is designed to archive and catalog both the machine- and human-readable data allowing companies to: Become compliant with the FDA ruling on electronic records and electronic signatures Archive machine-readable data from any controlled instrument to safe, stable and secure media Retrieve machine-readable data on demand within minutes via an online storage device Establish traceability between the human-readable data and the machine-readable data Integrate Empower 2 Software with other applications

Summary of Waters Strategies for Compliance Empower 2 Software uses Oracle as the underlying relational database, providing a robust and scalable architecture. Empower 2 Software meets all of the technical requirements for electronic records as prescribed by 21 CFR Part 11. The current version of this product helps any regulated company meet the core requirements of Part 11 with a clear plan and strategy for full compliance, including electronic signatures. The following sections describe the key recommendations of Part 11 and how Empower 2 Software aids in compliance with the described technical controls. Scope of 21 CFR Part 11 ( 11.1): The general scope of Part 11 states, The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. As the pharmaceutical and biotech industries move from paper to more flexible electronic data and information environments, Part 11 and other regulations will ensure continued data integrity in electronic formats. Overall, it is believed that more secure and trustworthy data will ultimately result from Part 11 compliance in the life science arena. In addition to enhancing the integrity of data required to be maintained by the predicate rules (GxP regulates the Federal Food, Drug and Cosmetic Act, the Public Service Act or any FDA regulation except for Part 11), Part 11 also paves the way for full electronic submissions to the FDA. The Rule says: For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met. For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part. Measures to ensure the trustworthiness of electronic records and electronic signatures consist of administrative, procedural and technical controls implemented for computer systems. This publication mainly focuses on the technical controls required by Part 11 that are provided by Empower 2 Software for trustworthy and reliable scientific data management. Although this paper addresses key technical controls from 21 CFR Part 11, it is not intended to cover everything that Part 11 compliance should encompass. To satisfy this requirement, persons must, among other things, employ procedural and administrative controls that oversee conformance to Part 11 requirements. Electronic Records Applicability and Definition Per 21 CFR Part 11, the definition of an electronic record is, any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. 21 CFR Part 11 applies to all electronic records used to meet GxP (GMP, GCP, GLP) requirements, including, but not limited to, systems for: Batch records, SOPs, test methods, specifications and policies Inventory records Calibration and preventative maintenance records Validation protocols and reports LIMS systems Chromatography data systems Customer-complaint files Adverse event reporting systems Automated document management systems Controls for Closed Systems ( 11.10): Essentially, these are the measures designed to ensure the integrity of system operations and electronic records stored in a closed system. Section 11.3 indicates that a, Closed System means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. By definition, Empower 2 Software is a closed system. The Rule further states that, Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the

authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Some of the procedures and controls required to maintain record integrity in closed systems include: Validation ( 11.10(a)) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency ( 11.10(b)) Protection of records to enable accurate and ready retrieval throughout the records retention period ( 11.10c) Limiting system access to authorized individuals ( 11.10(d)) The use of computer generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation will be retained for a period as least as long as that required for the subject electronic records and will be available for agency review and copying ( 11.10(e)) Use of operational system checks to enforce permitted sequencing of steps and events ( 11.10(f)) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record or perform the operation at hand ( 11.10(g)) Use of device checks to determine the validity of the source of data input or operational instruction Let s take a look at some of the Part 11 technical controls in more detail. Accurate and Complete Copies: 11.10(b) of the Rule states that one must have the ability to generate accurate and complete copies of records. The ability to make accurate and complete copies of data and metadata is very important. This is critical when considering that the FDA considers paper printouts of electronic records not suitable substitutes for those electronic records. Archiving implies that electronic information is stored and then moved from active state to inactive state. Upon archiving, records must be protected to ensure record access and usability for the duration of the established record retention period. Controls must be implemented to ensure that archiving preserves the trusted status of the record and allows for long-term access and use. Secure archiving requires: Moving data to a secure storage area that is still retrievable, in human-readable form Maintaining the integrity of the data during a move Validating the data move Maintaining data integrity for the duration as defined in applicable record retention policies Technology that preserves integrity of the record before, during and after a data migration activity Ensuring that the audit trail is archived Technology and procedures that permit data to be retrieved and copied, in both electronic and human readable form, throughout the life of the data AUTOMATED BACKUP OF LABORATORY DATA: Empower 2 Software captures both human-readable and machine-readable data accurately, electronically and automatically. Empower 2 backup software automates the project backup process and provides a mechanism to backup several projects at one time. It also gives you the option to have your own backup software started automatically when Empower 2 is finished. You can easily retrieve backed up data by using the restore function, which allows you to restore one or multiple projects. It is also possible to either manually backup a project and samples, or schedule a back-up task using the Windows Scheduler. Empower 2 Software dramatically reduces the amount of time required to properly manage the vast amount of data generated in labs every day. Analysts and lab managers can work with complete confidence that the data is being safely and securely backed up and can be easily accessed when required. No user intervention is required.

It is imperative to capture the corresponding metadata along with the electronic record. Empower 2 Software automatically backs up all the metadata from both raw data, and human-readable records in a project, and stores this with the files in a protected, closed environment. The user can review a list of projects (Figure 1) that have been backed up. The FDA s intention is that you should be able to generate your original results from your original raw data. To do that, you not only need the raw data but also the metadata. Since it uses a relational database, Empower 2 Software provides superior traceability of raw data to results, calibration curves, instrument methods, processing methods and sample sets. Empower 2 Software allows for immediate, but controlled, access to electronic data stored in its secure Oracle database. Figure 1. Project Backup showing multiple projects in Empower 2 Software. Figure 2. Shows how to configure user s backup software in Empower 2. Protection and Ready Retrieval of Records: 11.10(c) of the Rule states that records must be protected to enable their accurate and ready retrieval throughout the records retention period. Records should be protected against the likes of uncontrolled modification or deletion, and the system should automatically recognize when records have been altered after the initial recording. The system must also allow for accurate and ready retrieval of such records. Part 11 does not specify a timeframe for the retention period; retention time is defined by the predicate rules. Figure 3. Above, shows the Restore function of Empower 2 Software. Restore has the ability to restore archived files either to their original location, or to a new, user-specified location and ask the user to enter a comment.

For records protection, Empower 2 Software utilizes Privileges that defines users and user groups, and assigns privileges therein. For example, someone with pre-defined chemist privileges would only be allowed to sign reports for review, without the capability of approving them. Empower 2 Software is designed to retain humanreadable and machine-readable records for as long as the designated retention period states. The architecture of the system is based on an Oracle database with distributed components to support enterprise-wide deployment. Waters technologies products provide the ability to achieve compliance with 11.10 of the Rule. All Empower 2 Software components are compliant ready with sub-sections 11.10 a-g. Accurate and complete copies of machine-readable data and metadata can be made using Empower 2 Software. Likewise, accurate and complete copies of human-readable data and metadata can be made using Empower 2 Software. Empower 2 Software requires an authorized user login to gain access to the system. Once logged on, a privilege grid controls the user s access to data. Empower 2 Software does not allow users to perform illegal actions within the system. Proper sequencing of steps and events is typically procedural and will vary greatly from site to site. Figure 5. Empower 2 Login screen. This system uses a login that requires the user to enter both the Username and Password, helping to protect access to the records therein. Empower 2 Software will capture data from any instrument that the user specifies. The validity of this data prior to Empower 2 Software instrument capture is the true responsibility of the user. Limiting System Access: Figure 4. Above, Empower 2 Chemist Privileges. Defined user privileges such as the ability to Sign Off Results 1. Controls for Open Systems ( 11.30): 21 CFR Part 11 states, Open System means an environment in which system access is not

controlled by persons who are responsible for the content of electronic records that are on the system. It is further stated that, Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. An example of such an open system is an unsecured, web-based system used for transmitting data. Subpart B, 11.30 states that the controls for closed systems also apply to open systems. However, in order to maintain the authenticity, integrity and confidentiality of electronic records that are transmitted over an open system, tighter controls such as digital encryption would be required. Empower 2 Software is not an open system. signatures, nor does it mandate when an e-signature is used or what documents must be signed. This is governed by the predicate rules. The Rule does, however, require signature manifestations to contain three key pieces of metadata. It is stated that Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). Also, the electronic signature is subject to the same Electronic Signatures Applicability and Definition Part 11 defines an electronic signature as, a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual s handwritten signature. Many companies are not ready for e-signatures, but must still comply with all of the regulations regarding electronic records. The FDA is permitting the use of a hybrid system for companies that maintain archives of the electronic versions of each record while concurrently using paper-based signature processes. It is vital to be able to prove the identity of an individual required to sign an electronic record. The key is linking the owner to the electronic identity and confirming that the individual has the authority to sign. Signature Manifestations ( 11.50): 21 CFR Part 11 does not mandate electronic Figure 6. Above, an Empower 2 Software display of e-signature history. Note the display in humanreadable form of the three pieces of metadata needed for an e-signature manifestation.

controls as e-records and must be included in any human- readable form of the record such as display or printed copies. Empower 2 Software provides the ability to achieve compliance with this part of the Rule. The software captures and displays the three pieces of metadata of which a signature manifestation should consist. The Empower 2 Software e-signature option displays the full printed name of the signer, the date and the time that the signature was executed and a meaning for the signature (configure meanings in the Project Manager for review, approval, authorship, responsibility, etc.). These are all required elements when a record is signed. For trustworthy signed electronic records, electronic signatures should be unique to one individual and should not be reused or reassigned to anyone else: Empower 2 Software prevents re-allocation of e-signatures and prevents deletion of any information relating to a signature once it has been used Empower 2 Software does not allow signature information to be removed from an electronic record once it has been applied Signature/Record Linking ( 11.70): Section 11.70 ensures the integrity of either electronic or handwritten signatures executed to electronic records by specifying that, Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic Figure 7. Above, the permanent Empower 2 Software Signoffs Oracle table is updated. This table can only be added to by the application (i.e., more signatures can be added to a report), but this table cannot be changed. record by ordinary means. Linking the signature to the original electronic record is especially critical when a printout or an electronic copy of the e-record becomes orphaned from that e- record. The signature must not be lost. Empower 2 Software provides the ability to achieve compliance with this part of the rule. The software enables non-breakable linking of electronic signatures to electronic records. The Empower 2 Software e-signature information is stored in the Oracle relational database and is permanently linked to the record itself. It is not possible to excise, copy or transfer the signature to another unsigned document. ELECTRONIC SIGNATURE COMPONENTS AND CONTROLS ( 11.200): Electronic signatures may be either non-biometric or biometric. For non-biometric electronic signatures, two forms of identification are required. These can be any of the following: User ID and password Card key and password Two passwords The Rule defines Biometric as, A method of verifying an individual s identity based on measurement of the individual s physical feature(s) or repeatable actions(s) where those features and/or actions are both unique to that individual and measurable. Some familiar examples include, voiceprints, finger/thumb print recognition, retinal scans or any device or method designed to ensure use only by the genuine owner. Electronic signatures that are not based upon biometrics shall: 1. Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each

signing shall be executed using all of the electronic signature components. 2. Be used only by their genuine owners; and 3. Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Non-biometric e-signatures must be administered and executed to prevent forging. Electronic Signatures, General Requirements ( 11.100): Electronic signatures not based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Empower 2 Software: Provides the ability to achieve compliance with this part of the Rule Uses Oracle tools to manage user ID and password for e-signature manifestations Requires both components for all signatures; reason codes may be restricted to authorized users Requires a Username/Password combination in order to e-sign a report Further administrative and procedural controls are also required on the part of the user to ensure that passwords and user IDs are utilized and administered properly Biometric signatures are not included in Empower 2 Software; if biometrics are requested by customers, we will consider adding this feature in a future release 11.200(a)(1) System shall ensure that the first signing in a controlled session requires both signature components. Within Empower 2 Software, each time you sign a report in a non-contiguous fashion, both the username and password are required for authentication During non-continuous access, both components are required for each signing. See 11.200(a)(1) CONTROLS FOR IDENTIFICATION CODES/ PASSWORDS ( 11.300): Ultimately, the purpose of Part 11 is to achieve trusted electronic records. The identity of the user is essential to irrefutably label an individual responsible for some aspect of the electronic record. Electronic identification is the passive harvesting of users identities as they are performing tasks on a system. Some characteristics of electronic identification include: Users typically assigned an ID as part of system. The ID is passively captured/harvested as the user operates the system If an electronic ID is collected, it must be linked to the record for the duration of the record Electronic ID does not have the same force of law as electronic signature; however, it still implies attributability and should be taken seriously Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Figure 8. Empower 2 Software allows you to create a unique sign-off policies. Such controls shall include: A. Maintaining the uniqueness of each combined identification code and password, such that no

two individuals have the same combination of identification code and password. B. Ensuring that identification code and password issuances are periodically checked, recalled or revised (e.g., to cover such events as password aging). C. Following loss management procedures to electronically unauthorize lost, stolen, missing or otherwise potentially compromised tokens, cards and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. D. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. E. Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Empower 2 Software provides the ability to achieve compliance with this part of the Rule. The software uses Oracle tools to manage user ID and password for e-signature manifestations. Sections 11.300 A, C and E above are the user s responsibility; they fall under administrative/ procedural controls 11.300(b) System should force password changes periodically Empower 2 Software allows an administrator to force a password change based upon company policy and business rules 11.300(d) Ability to notify administrators of unauthorized system access attempts and lock terminal after a specified number of failed attempts Empower 2 Software provides this capability through Oracle In the event of more than a specified number of unsuccessful attempts to log in to Empower 2 Software, the following will occur: o The user account is disabled, requiring an administrator to unlock o Notification is sent to the Security Monitor and the Audit Trail o This feature cannot be disabled Audit Trails As mentioned previously, the use of computergenerated, time-stamped audit trails are a significant part of the Controls for Closed Systems. (See 21 CFR Part 11 11.10.) Even though an audit trail is nothing new for FDA regulated environments, it is the most frequently discussed requirement of Part 11, primarily due to the expected cost of upgrading legacy systems that lack complete audit trails. Audit trails are considered the key to the security of a system since they track access to the data. In this way, an incomplete or absent audit trail can impact data integrity or even product quality. The absence of an audit trail is considered to be, highly significant when there are data discrepancies according to the FDA. The benefits of having a complete audit trail irrespective of compliance include using it to deter fraudulent manipulation of records, detect device tampering by the device owner, alert administrators when investigation is necessary, maintain record integrity and reduce the risk of information being lost or changed. Part 11 requires electronic audit trails for all data archived and managed as per the Rule. Audit trails must be: Operator independent no operator may change, sign, write-to or modify in any way Computer generated (automatically) Include date and time the individual created, modified, reviewed, approved or deleted an electronic record Time and date stamped using local time in an unambiguous format (military or standard time) Secure reasonable security to prevent tampering The audit trail documentation must be retained for the same period as electronic record. Accurate and complete copies must be made available to the FDA for review and copying and must be both humanreadable and machine-readable. Additionally, the recorded changes must not obscure

previously recorded information, and any changes need to be documented in the audit trail. Empower 2 Software and Project Audit Trails provide a history of actions that affects the System (such as denied login, project archival, changes to system policies). The Project Audit Trail captures information that affect the data within a project (calibration, method changes, processing data) and other information captured in the Empower 2 Software database (who, when, what) including any data Manage Validation and Compliance Documentation Empower 2 Software can be used to store qualification data for instruments and software in the lab. Since these checks need to be performed periodically, Empower 2 Software provides not only a convenient storage location, but also a way of clearly documenting the timing of the various qualification tests done in the lab. Validation and compliance documentation is immutably stored within the relational database. Figure 9. Above, the readable view of the Empower 2 Software System Audit Trail. insertions, modifications to metadata, record copies, deletions and template applications. Empower 2 Software does not allow the data itself to be changed. Changes to user privileges are also tracked. The audit trails are generated automatically. Empower 2 Software has the ability to discern invalid or altered records. Empower 2 Software provides checksum and cyclic redundancy check (CRC) verification for all humanreadable and machine-readable data to protect against data being altered within the system. Beyond the Rule: Other Data Management Solutions from Waters Corporation Assistance with Audits Auditors require objective evidence to be provided in a timely fashion. If analytical reports are online in the Empower 2 Software database, providing documented evidence becomes a fast, streamlined process. Empower 2 Software acts like an electronic filing cabinet. Instead of sifting through printed reports by hand, the Empower 2 Software view filters can directly access the requested report or reports.

Sales Offices: Austria 43 1 877 18 07 Australia 61 2 9933 1777 Belgium and Luxembourg 32 2 726 1000 Brazil 55 11 5543 7788 Canada 1 800 252 4752 x2205 Czech Republic 420 2 617 11384 Waters Laboratory Informatics The Waters Laboratory Informatics suite, including Empower 2 Software, is made up of powerful, integrated information management solutions that enable you to compile, manage and share the vast quantity of data generated in your laboratory. Whether you re searching for application-specific software or looking to augment your data management strategy, Waters Laboratory Informatics solutions transform raw data into your competitive advantage. Learn more at www.waters.com/informatics. Denmark 45 46 59 8080 Finland 358 9 506 4140 France 33 1 3048 7200 Germany 49 6196 400600 Hong Kong 852 29 64 1800 Hungary 36 1 350 5086 India 91 80 2837 1900 Ireland 353 1 448 1500 Italy 39 02 27 4211 Japan 81 3 3471 7191 Korea 82 2 820 2700 Mexico 52 55 5524 7636 The Netherlands 31 76 508 7200 Norway 47 6 384 6050 People s Republic of China 86 10 8451 8918 Poland 48 22 833 4400 Puerto Rico 787 747 8445 Russia/CIS 7 095 931 9193 Singapore 65 6273 1221 Spain 34 93 600 9300 Sweden 46 8 555 11 500 Switzerland 41 62 889 2030 Taiwan 886 2 2543 1898 UK 44 208 238 6100 Waters Global Services To achieve your greatest success, every aspect of your operation needs to work together. Waters Global Services creates programs that will optimize your entire laboratory and information management processes. We offer a comprehensive portfolio of services to help your laboratories perform at their best. Instrument Services extend and enhance the standard limited warranty you receive when you buy a Waters instrument, delivering the value you need to avoid costly and time-consuming system downtime. Software Services include enterprise implementation and validation services, training, and support programs for Waters Laboratory Informatics software products. Professional Services provide you with programs that improve laboratory productivity, including asset management, and relocation services. Connections Compliance Services provide you with timely and cost-effective solutions for your regulatory compliance challenges. Use Waters Compliance Services to verify proper equipment operation for cgmp/glp compliance, significantly reducing operating costs. Educational Services provides extensive UPLC, HPLC, MS, and software training and education at your site, at our corporate headquarters or at our local offices around the world. Waters Global Services worldwide service and support organization is staffed by experts in 94 offices located in more than 50 countries. Our technical experts are available in person, on the phone, or at www.waters.com to answer questions and provide you with service, support and information US 1 800 252 4752 WATERS CORPORATION 34 Maple St. Milford, MA 01757 U.S.A. T: 508 478 2000 F: 508 872 1990 www.waters.com Waters and Empower are trademarks of Waters Corporation. All other trademarks are the property of their respective owner. 720001404EN JH-PDF

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information