INTRODUCTION
The United States Food and Drug Administration (FDA) and the European Commission have defined regulations for the conditions under which regulated companies can submit electronic records in lieu of paper documents.
These regulations define the measures that must be in place to ensure the integrity, trustworthiness, and reliability of electronic records. The regulations define and require three types of controls:
- Administrative controls, e.g. the definition of policies such as the identification of individuals and non-repudiation of electronic records.
- Procedural controls, e.g. Standard Operating Procedures for using and maintaining the system.
- Technical controls e.g. functions built into the software such as security and access to the system as well as the audit trail
For compliance with the regulation, all three of the above controls must be implemented.
REGULATIONS
21 CFR part 11 (Electronic Record: Electronic Signatures final rule) defines criteria for acceptance by the FDA of electronic records and signatures on electronic records as equivalent to paper records and handwritten signatures. It defines the criteria for which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures.
It requires FDA-regulated industries to implement controls, audit trails, validations, electronic signatures, and documentation of software systems involved in processing electronic data.
Where 21 CFR part 11 applies to the companies doing business with the USA, the European Commission has created for computerized systems the Annex 11(computerized systems) to Volume 4 of GMP for the European market. Similar to the FDA regulation, Annex 11 applies to all forms of computerized systems used where GMP regulations apply. Annex 11 applies when computerized systems replace manual operations; there should be no resultant decrease in product quality, process control, or quality assurance, as well as no process-related risks.
Orcanos Compliance to 21 CFR Part 11 & EU Annex 11
| ACCESS AND RETRIEVABILITY Requirements | ||
| 21 CFR Part 11 | EU Annex 11 | |
 | | |
| Access to records in human-readable form | | |
| You can print out copies of the records. | | |
| Retrieving the record retrieves the whole record. | | |
| The system detects invalid or altered results. | | |
| The integrity of the whole record is maintained throughout the entire retention period. | | |
| You have taken the appropriate physical and electronic means to protect the record from damage/alteration. | | |
| Records are backed up. | | |
| SECURITY | ||
| Prohibit access to unauthorized individuals. | | |
| Access is unique to an individual. | | |
| Creating/modifying/deleting user access must be recorded. | | |
| Prevention of auto-logins | | |
| Access levels are defined. | | |
| System administrators with the capability to delete records are independent of system users. | | |
| Controls for unattended systems (e.g. auto logouts) | | |
| Passwords are changed | | |
| Lockout or notification after X number of unsuccessful login or signature attempts | | |
| Authentication of interfaces before the transfer of data. | | |
| Checks for critical manually entered data (e.g. second operator or by electronic means) | | |
| CHANGE CONTROL | ||
| Change is documented | | |
| Changes do not obscure previously recorded records. | | |
| Must be able to detect which records have changed | | |
| Capture human actions that create, modify or delete a record. | | |
| System generated | | |
| Contains user ID, date/time of the action (create/modify/delete), and for changed records reason for change. | | |
| Users cannot alter the date/time of the system. | | |
| The audit trail is protected from modification and cannot be disabled. | | |
| The system provides access to review the audit trails, and when a record is critical or subject to alteration, a review is done for these records on a periodic basis to ensure data integrity | | |
| ELECTRONIC SIGNATURE | ||
| Electronic signature is linked to electronic record | | |
| Electronic signatures under same controls as electronic records | | |
| Cannot reuse an electronic signature from another individual | | |
| An electronic signature must have a combination of at least 2 unique components and one must only be known by the user | | |
| Electronic signature shows name of the user, date/time of the signing, and meaning of signature | | |
| The signature session must end after a specified period of inactivity | | |
| The system reports unauthorized attempts to sign a document | | |
| No automated executions of signatures | | |
| OPEN SYSTEM | ||
| Data must be encrypted | | |
| Digital signatures used | | |
| There must be security at both the sending and receiving systems | | |
| HYBRID SYSTEMS | ||
| Final revisions of paper and electronic records must have the same electric content | | |
| Traceability between electronic and paper records | | |
| Electronic record must have an indication when handwritten signatures are applied to the contents of the record | | |
| When paper records are produced from a database, there must be sufficient information regarding the generation of the printout so it can be reproduced | | |
| Control in place to ensure all data is kept including failed results | | |
| Like in paper records, those printed on thermal paper have a mechanism in place to protect them over time | | |
| If successive operations, events, and/or data entry are required, the system must ensure the steps are followed in the correct sequence. | | |
| SEQUENCING & WORKFLOW | ||
| If successive operations, events, and/or data entry are required, the system must ensure the steps are followed in the correct sequence. | | |
| BUSINESS CONTINUITY | ||
| For systems supporting critical processes (e.g. systems that are part of site business continuity plan), provisions must be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use must be based on risk and appropriate for a particular system and the business process it supports. These arrangements must be adequately documented and tested. | | |
The post 21 CFR part 11 vs. EU Annex 11 appeared first on Orcanos: Quality Management System: ALM Software Solution Tool.