Issue



Compliance is just a click away


03/01/2004







Electronic records and 21 CFR Part 11 are here to stay. Here's what it all means for your paperless environmental monitoring system

By Susan Cleary

The last few years have seen the stage set for the evolution of paperless environmental monitoring. Today, new technology is available that lets users capture data electronically, analyze it, and recognize trends before a breach of compliance occurs.

Secure, compliant, automated data transfer is available from instruments such as particle counters as well as data export using portable data standards (XML). Meanwhile, regulations such as 21 CFR Part 11 or Annex 11 have been fine-tuned to define how electronic records can meet and exceed paper-based records.

Although the FDA may be cutting back on its Part 11 enforcement plans, companies do not have carte blanche to disregard the regulations. And while the guidance purports a readiness to become more flexible with respect to certain Part 11 requirements, such as validation, the FDA has also emphasized that it "intend[s] to enforce all other requirements of Part 11" other than those applying to legacy systems (in place prior to 1997), record retention and copying, time stamps, and validation.

Benefits of a compliant software solution

Even though computerized systems have advanced dramatically over the past several years, some regulated manufacturers are still using outdated practices to manage environmental monitoring data. Legacy systems, spreadsheets and lightweight, home-grown database programs have proven complex to use and pose a challenge when it comes to maintaining or upgrading based on regulatory changes.

New systems offer data integrity and security built in, with all data in one central database. A click of the mouse has replaced the search through piles of documents; and having all the data in a central location has made for easier analysis and trend realization.

But of greatest importance, the main benefits of a compliant electronic system are regulatory compliance and avoiding the dreaded and costly 483s and warning letters.

So, what are the big questions?

The questions that have been popping up in regard to 21 CFR Part 11 have had a consistent tone:

  • How should an environmental monitoring software system be 21 CFR Part 11-compliant?
  • What features and functionality address 21 CFR Part 11 regulations?
  • How do you define the regulations as software requirements?

In this article, we'll seek to define and interpret the regulations established by regulatory agencies, and explain them in terms of software features.

These interpretations are based on years of experience in the industry, interviews and discussions with regulated manufacturers and regulatory agencies, as well as numerous user requirements received in the course of software development since the FDA interpretation of 21 CFR Part 11 was published.

Regulation equals requirement

Regulation 11.1 (a). This regulation indicates that electronic signatures are equivalent to handwritten signatures. Like paper records, which provide a snapshot of information at a specific point in time to be signed, electronic records can be locked down to disallow modification after signing.

Information that's added to the software system is then locked down by checking the completed checkbox. After it's locked, data cannot be modified. This three-step complete
eview/approve process allows for three signatures and locks down the data after the first signing.

Regulation 11.1 (e). The FDA should have the ability to view source code and documentation of any laboratory information management system (LIMS) that claims to be 21 CFR Part 11-compliant.

LIMS vendors should be prepared to submit all documentation, including test plans, user requirements, design specifications and validation test scripts, to the agency upon request.

Vendors should also be willing to submit to an on-site demo by qualified personnel of the purchasing company. The company using the LIMS is ultimately responsible for defending the system during a regulatory inspection; the audit documentation will be a part of the documents the FDA will want to see.

Regulation 11.10 (a). Any 21 CFR Part 11-compliant system must be validated. Complete IQ/OQ/PQ is executed at the client's site. A proper validation will include a pilot installation lasting two to four weeks, during which time the system is configured. This is followed by user acceptance testing and then the final installation and validation of the system before going "live."

The vendor should supply all validation documents, updating the documents after a gap analysis (if needed).

Regulation 11.10 (b). All data from the system must be printable and exportable using electronic means; therefore, system-users, depending on access rights, should have the ability to print all information in the database.

The information printed should contain information regarding the date of entry, and the user who entered the data. The act of printing system information should be time stamped and audit trailed.

Full-print functionality in all windows provides the means to copy data out of the system in a compliant manner. The printouts need to be time stamped and contain the name of the person who signed off on the electronic data being copied from the system.


Under 21 CFR Part 11, users should have the ability to print all information in the database. In this example of an independent user log, the window should be printable and the printout should include the name of the person printing and the date and time of printing.
Click here to enlarge image

The above screen shot is an example of an independent user log. This window should be printable and the printout should include the name of the person printing and the date and time of printing.

For electronic exporting for uses such as FDA submissions, portable data can be used by way of XML.

Regulation 11.10 (c). Records need to be retained for a certain period; the time frame is determined based on the type and nature of the records, and the company's standard operating procedures (normally, five to seven years). By archiving completed studies, the company can free up database space and securely store records during the retention period.

End users should require that an archiving utility accompany the environmental monitoring system and a configuration tool. This lets the client view the archived data on demand. The audit trail associated to the data being archived should be archived with it.

Regulation 11.10 (d). Secure and limited access to the software system should be in place. No user can enter the system without using a two-component signature. The environmental monitoring system should be access controlled; logins use both components of the electronic signature to sign into the system.

Regulation 11.10 (e). Change control view needs to display all additions, deletions and modifications to data entered in the system. A complete audit trail that encompasses all changes, deletions and additions to system data should be built in to the system. The screen shot, below, shows a change control display window. The grid contains the time stamp, user who made the change, the type of change, filed name, old value and new value.


Sample of a change control display window. The grid contains the time stamp, user who made the change, the type of change, filed name, old value and new value.
Click here to enlarge image

Regulation 11.10 (f). The software needs to detect whether all the prerequisites of an action taken by a user have been met.

In the screen shot below, the "Completed" check box is checked; this action enables the review check box but not the approval check box. This sequencing of events lets the user approve the protocol only after it has been completed and reviewed.


The "Completed" check box action enables the review check box but not the approval check box. This sequencing of events lets the user approve the protocol only after it has been completed and reviewed.
Click here to enlarge image

Regulation 11.10 (g). Unique and specifically defined user access rights should be in place in the system to limit access to certain functionality such as approval of protocols. Groups or roles can define user access rights.

Regulation 11.10 (h). Automated verification of input should be doable from any device. For example, barcode fonts should contain a check sum to verify the correctness of the input when scanning labels via keyboard wedge or serial interface.

Regulation 11.10 (i). All system users must be trained based on their roles in the system. Users are required to sign off in the training documents, verifying that they are fully trained on the system's functionality and any SOPs that apply to the system.

Proof that users are fully trained on using the system is required before the system validation is closed off. IT personnel and database administrators and all personnel involved in the system set-up should be included in this training.

Regulation 11.10 (j). Standard Operating Procedures (SOPs) must be in place before the system goes "live." Users have to be trained on these SOPs as part of the Regulation 11.10 (i). Document tracking numbers for these SOPs should be included in the validation document and should all be referenced.

Regulation 11.10 (k). System documents, including user guides, training manuals, SOPs, user requirements and design specifications should be managed in a document control system. It's imperative that the version of these documents matches that of the program.

Regulation 11.50 (a) and (b). All signatures shall include the name of the user, the timestamp and the meaning or reason for the signature. This applies to both electronic and hard copies of records.

When viewing records electronically, the signatures are clearly displayed; when records are printed from the system, the signatures and the reason for signing are clearly printed with the records. A place for the electronic signer to sign on the hard copy should be provided in the case where the system is being used as a hybrid-combination of paper and electronic records.

Regulation 11.70. The username signature and the full name of the user should be included on the printouts. Two distinct identification mechanisms should be requested when printing from a compliant system: the username signature and the full name of the user should be included on the printouts.

In a compliant system, a password should be required to generate a printout, and the generation of the printout should be logged in the audit trail. The password requirement links the records to the user and combines the electronic and handwritten signatures in somewhat of a hybrid system where both can be used.

Regulation 11.100 (a). The system should disallow the duplication of a username once it is used, even if it is disabled, and it can never be used again. No two users can possess the same electronic signature. If an attempt is made to reuse a username, an error message should be displayed automatically stating, "this action is disallowed".

Regulation 11.200 (a). This regulation defines when one or both components of the electronic signature are required.

"Continuous session" is an indistinct definition; therefore, a configuration window should let the system administrator set a time-out if the system has not been used for a certain period. This configuration lets the company input their own definition of the duration of a continuous session.

Regulation 11.300. A user name cannot be used twice, even if the username is deactivated. All electronic signatures must be unique and user-configured password aging should be in place.

The password-aging timeframe should be configurable by the system administrator and should be based on the SOPs that apply to the company's policies in the matter. Normally, passwords should be changed every three months.

Regulation 11.300 (d). All additions and modifications to system data will require that a password be entered, with e-mail notification and account lock-out triggered after three unsuccessful password entry attempts. After a predetermined number of attempts (normally, three failed attempts) to access the system, the account in question is deactivated and can only be reactivated by the system administrator. An e-mail is sent to the appropriate people notifying of potential illegal activity.

Wrapping it all up

Simply put, electronic records and 21 CFR Part 11 are here to stay. Key technical control records required for compliance with 21 CFR Part 11 are access security, operational systems and device checks, system controls and electronic signatures.

SUSAN B. CLEARY is director of product development for Novatek International based in Montreal, Quebec. Cleary can be reached at: [email protected]