21 CFR Part 11 White Paper

21 CFR Part 11 White Paper Version V8.00 SR1

ProLeiT AG Einsteinstrasse 8, D-91074 Herzogenaurach, Germany Phone: +49 (0) 9132 777-0 Fax: +49 (0) 9132 777-150 E-Mail: info@proleit.com Internet: http://www.proleit.com Hotline E-mail: hotline@proleit.com, V8.00 SR1 R02, Edition: 27. April 2010 PiT_V801_21CFR-Part11_en.doc No responsibility can be assumed for the details contained in this manual; changes can be made at any time. The software described in this document is subject to the license conditions. Designations for hardware and software mentioned in this manual are registered trademarks of hardware and software products. Note We thank Maas & Peither GMP-Verlag for their support in the creation of this document. 2

Table of contents Table of contents 1 Introduction... 4 2 Fundamentals... 5 2.1 The 21 CFR Part 11 regulation... 5 2.2 Term definitions... 6 3 Electronic batch records... 8 3.1 Recordings always required by FDA... 8 3.1.1 21 CFR Part 211... 8 3.1.2 Compliance Policy Guide 7132a.15... 8 3.2 Additional FDA requirement from 21 CFR Part 11... 9 3.2.1 Validation... 9 3.2.2 Audit trail... 9 3.2.3 Access protection... 9 3.2.4 Storage... 9 3.2.5 Documentation... 9 3.3 Recordings and data pools managed by...10 4 Evaluation of with regard to the requirements of 21 CFR Part 11...11 4.1 Application-specific specifications...11 4.2 Evaluation table...11 3

Introduction 1 Introduction FDA regulation 21 CFR Part 11: Electronic Records; Electronic Signature The 21 CFR Part 11 regulation of the US authority FDA (Food and Drug Administration) took effect on August 20, 1997. The regulation describes which requirements the FDA places on the use of electronic recordings and signatures rather than those in paper form. These must be equivalent to the traditional recording in paper form. It is also possible to use a combination of electronic recordings and recordings in paper form. Operational areas for provides a uniform system platform for automation solutions in the process engineering industry. It covers the complete area of the automation and information technology from the field level through to the enterprise resource planning level. Since 1999, the systems have been used increasingly in the pharmaceutical industry so that they have been and will be continually adapted to the growing requirements demanded by the European and US authorities. Content of this document This document describes how the requirements of 21 CFR Part 11 can be satisfied by the system and the appropriate organizational measures to ensure that the system user can operate the system in conformance with the regulation. 4

Fundamentals The 21 CFR Part 11 regulation 2 Fundamentals 2.1 The 21 CFR Part 11 regulation The 21 Code of Federal Regulations (CFR), Part 11 title contains the legal regulations of the FDA (US authority for supervising food and medicinal products) concerning the use of electronic recordings and electronic signatures. Definitions for the electronic recording and electronic signature terms are contained in sections 11.3 (6) and (7) of the regulation. Purpose of the regulation Part 11 was originally issued on July 21, 1992 as preannouncement of a draft law. The purpose of this initiative was to accelerate the approval process for medicinal products. However, the other consequences, namely the acceptance of both information and signatures for the approval in electronic form, were apparent immediately. After six years of cooperation between various authorities and the pharmaceutical industry, the final regulation took effect on August 20, 1997. Content of the regulation Part 11 specifies the legal prerequisites under which electronic recordings and signatures are accepted as being equivalent to recordings on paper and handwritten signatures. Part 11 assumes that the danger of manipulation and non-traceable changes to electronic recordings and signatures is greater than for paper form and additional measures must be adopted. The term electronic recording In this document, electronic recording refers to data that is relevant for the manufacturing regulations for medicinal products (21 CFR Part 210 and Part 211) and which the system records (e.g. temperature changes), creates (e.g. signaling of a limit value violation) or manages (e.g. material stocks). 5

Fundamentals Term definitions 2.2 Term definitions The following table contains the term definitions in accordance with the Part 11. Terms definition from the regulations (Original) 1 Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark. Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual s handwritten signature. Comment by ProLeiT can be operated as closed system in which intervention by the responsible person (e.g. the plant operator) can be fully controlled. If the system is used together with other systems on a single computer or networks are connected physically, the plant operating company must evaluate the complete system. Examples within the system include batch recipes, batch log, measured value recordings, messages, etc. Requires no further explanation This is the replacement for the hand-written signature. Currently, user identification and password are in most common use. Biometric procedures are being used increasingly. 1 Source: Gesetze der USA, Maas & Peither GMP-Verlag, ISBN: 3-934971-00-8 6

Fundamentals Term definitions Terms definition from the regulations (Original) 1 Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. Biometrics means a method of verifying an individual s identity based on measurement of the individual s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable. Comment by ProLeiT A user must be able to be uniquely assigned to an electronic signature, where the authorization, e.g. the password, must be stored encrypted. The user identification and password must be entered for the first signature during a session. Further signatures within this session should be performed with at least the input of one of these components. The purpose of the signature must be specified clearly and unambiguously. If required, can integrate external systems for the biometric acquisition. 7

Electronic batch records Recordings always required by FDA 3 Electronic batch records 3.1 Recordings always required by FDA 3.1.1 21 CFR Part 211 Plant operating companies subject to the FDA regulations must manage various recordings for the manufactured products. 21 CFR Part 211, Current Good Manufacturing Practice (cgmp) for Finished Pharmaceuticals, Subpart J defines what these are. These explicitly required recordings and reports contain the following: Log of the device use and cleaning Recordings about raw materials, packaging and labeling Central production and controller recordings Batch production and controller recordings Laboratory reports Sales reports Complaints For some of these recordings, such as the batch recordings, large parts of the required information are recorded or created by the computer system. The requirements placed on the type of information are not changed by Part 11. 3.1.2 Compliance Policy Guide 7132a.15 In addition to those recordings defined precisely in the cgmp, there is another group of recordings that must be managed similarly. Part 211 Subpart J refers to manufacturing and controller instructions. For a manually-operated process, these instructions exist in paper form as work instructions. In the case of a computer-controlled automated process, these instructions exist as source code for the application programming. The implicit relationship between source code and recordings was established in 1987 by the FDA as the Compliance Policy Guide 7132a.15 that states: Relationship: Source code and recordings We regard source code and its supporting documentation for application programs used in drug process control to be part of master production and control records, within the meaning of 21 CFR Parts 210 and 211. 8

Electronic batch records Additional FDA requirement from 21 CFR Part 11 3.2 Additional FDA requirement from 21 CFR Part 11 3.2.1 Validation All GMP-relevant automated systems must be validated. 3.2.2 Audit trail All quality-relevant operations must be recorded in a reliable automaticallycreated audit trail. 3.2.3 Access protection The access to electronic recordings must be restricted to a qualified and authorized group of persons. 3.2.4 Storage The systems must be able to archive, protect and, on request, make available the electronic recording. 3.2.5 Documentation For the documentation created during the validation, quality procedures must exist for the storage, access, distribution and use. 9

Electronic batch records Recordings and data pools managed by 3.3 Recordings and data pools managed by The following table lists the recordings and data pools acquired by. Recordings for system parts System configuration General operator interventions Batch management Batch operator interventions Batch log Process history Process log Example - Definition of the users and their access rights - Sequence logic - Alarm configuration - Control method - Graphical representations - Audit trail - Setpoint and value changes - Failure acknowledgements - Definition of process equipment and process cells - Phase definitions - Recipes - Interventions in the batch operation (start, hold, cancel) - Changes in formulas, parameters and execution sequences - Phase messages and operator responses - Batch reports - Configuration of the recording of trends and views - Curve definitions - Curve data 10

Evaluation of with regard to the requirements of 21 CFR Part 11 Application-specific specifications 4 Evaluation of with regard to the requirements of 21 CFR Part 11 4.1 Application-specific specifications In the Compliance Policy Guide 7153.17, FDA has prepared regulations for the implementation of 21 CFR Part 11 in which they allow the own inspectors large freedom with regard to regulatory measures. The FDA does not issue any certificates for products such as, neither is any other independent authority permitted to do this. The plant operating company must always satisfy the specifications of 21 CFR Part 11 for the specific application. Whether the prerequisites are satisfied is decided for each specific case. 4.2 Evaluation table The following table contains the requirements of 21 CFR Part 11 and the evaluation of ProLeiT AG how the requirements are satisfied by the system and/or by regulatory measures of the plant operating company. Wording of the regulation (Original) 2 11.10.a Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Comment concerning The plant operating company is responsible for validating the system This should be done using recognized regulations and procedures, e.g. life cycle model (e.g. Gamp4/5). The system was developed in accordance with the ProLeiT AG quality management system that is certified as ISO 9001:2000 conform. The system supports the validation of the application. The system does not support any subsequent changes to the electronic recordings. Recordings - Audit trail: For operator interventions, an audit trail is created in the system for all relevant changes. The system access protection prevents any changes being made to this. - Measured values: The measured values are recorded as binary file in the access-protected database. - Engineering: Changes in the Configuration Client are recorded in their own audit trail. The system access protection prevents any changes being made to this. 2 Source: Gesetze der USA, Maas & Peither GMP-Verlag, ISBN: 3-934971-00-8 11

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 Comment concerning 11.10.b The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. 11.10.c Protection of records to enable their accurate and ready retrieval throughout the records retention period. 11.10.d Limiting system access to authorized individuals. 11.10.e Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. 11.10.f Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Paper form Standard logs are available for the output of the recorded data. The audit trail exists as a system-protected csv file that can be printed. The complete configuration in the Configuration Client can be imported and printed using Excel. Electronic form All applications also provide the information as a file. (csv, pdf, xls) Recordings are protected during their storage by their method of storage and by the access protection of the system. They can be archived in readable form on storage medium. This is ensured by the system-internal user management. All parameterization tools are integrated in the user management. An audit trail is maintained for operator interventions and automatic execution sequences of the system. The data is logged centrally on the server with timestamp (taking account of daylight saving), user name, operator station, executing program and description of the operator action, possibly with old and new value. The audit trail is available in csv format on the central server. It is protected by the user authorization of the operating system. The configured objects can be used as basis for the definition of the locking functions. A specific execution sequence can be forced in the S88-conform batch system. User interventions for confirmation or verification can also be configured here. Note The logged-on user is always entered in the audit trail (csv files). The verifier is noted in the electronic signatures table. This will remain so, up to and including V8.20. 12

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 11.10.g Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. 11.10.h Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. 11.10.i Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. 11.10.j The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. 11.10.k Use of appropriate controls over systems documentation including: 1. Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. 2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. 11.50.a Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: Comment concerning This is ensured by the user management. Operator actions are logged in a uniform manner in the audit trail with details of the process equipment, user, timestamp and the description of the action, possibly with old and new value. ProLeiT can provide only support here. This includes product seminars offered in the ProLeiT training center. As support for the seminars, detailed product manuals exist and hotline support is available. The plant operating company must provide an organizational solution for the maintenance and correct use of the electronic signature. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. 13

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 1. The printed name of the signer; 2. The date and time when the signature was executed; and 3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature 11.50.b The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11.70 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. 11.100.a Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. 11.100.b Before an organization establishes, assigns, certifies, or otherwise sanctions an individual s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. Comment concerning The name of the signing person from the user management must be able to be determined unambiguously and in plain language. All signatures are stored with date and time. The system automatically takes account of daylight saving. The significance can be configured in the application that requires an electronic signature. (For example, for an execution sequence using appropriate operator requests) All information in the system can be displayed or printed appropriately. The system can display and print the groups, users, rights and the parameterized assignments known to the system. Printing notes As of V8.20, the ReDoc function will be reactivated for the user management. This allows the user management to be printed. Electronic signatures, including a unique link to the reference document (e.g. batch, order, object, message, etc.), are entered in a systemprotected database table. This is guaranteed using system-internal unique user IDs. A user ID can occur just once. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. 14

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 11.100.c Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. 1. The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. 2. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature. 11.200.a Electronic signatures that are not based upon biometrics shall: Comment concerning The plant operating company is responsible for the organization and the provision of appropriate quality procedures. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. The plant operating company is responsible for the organization and the provision of appropriate quality procedures. 1. Employ at least two distinct identification components such as an identification code and password. 1.i. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. 1.ii When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. The signature consists of a user ID and the associated password. Signatures always consist of a user identification and the associated password. The user logged on to a session will be entered as default user for the electronic signature and only needs to enter his/her password. Alternatively, a user who is not logged on can sign by entering his/her user identification and password. Signatures always consist of a user identification and the associated password. The user logged on to a session will be entered as default user for the electronic signature and only needs to enter his/her password. Alternatively, a user who is not logged on can sign by entering his/her user identification and password. 15

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 2. Be used only by their genuine owners 3. Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than ist genuine owner requires collaboration of two or more individuals. 11.200.b Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. 11.300 Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: 11.300.a Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. 11.300.b Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Comment concerning This can only be guaranteed and monitored by the plant operating company. The electronic signatures cannot be forged because the entries in the database are protected using a checksum. To prevent misuse, passwords can only be changed by the user him/herself or reset by an authorized person, i.e. this person must have been assigned the appropriate rights. This requires an appropriate assignment into responsibility areas by the plant operating company. Failed attempts to sign a document will be logged. Although does not offer any electronic signatures based on biometric characteristics in the system, if required, external systems for the biometric acquisition can be integrated. This is guaranteed using system-internal unique user IDs. A user ID can occur just once. Users can be required to change their password after a parameterized time. To prevent password repetition, the number of passwords to be remembered and which cannot be reused can be parameterized. 16

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table Wording of the regulation (Original) 2 11.300.c Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. 11.300.d Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. 11.300.e Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Comment concerning This can only be guaranteed and monitored by the plant operating company. Failed authorizations will be logged. This function must be activated from the configuration. If the number of failed logons exceeds the parameterized number of failed logons before the block time is activated, a block time will be active for all subsequent logon attempts. This can only be guaranteed and monitored by the plant operating company. 17

Evaluation of with regard to the requirements of 21 CFR Part 11 Evaluation table 18