Yours Chromatographically, Kaushik Zala

INTRODUCTION

In 1997 the United States Food and Drug Administration (FDA) issued a regulation that provides criteria for acceptance by the FDA of electronic records, electronic signatures and handwritten signatures (1). This was done in response to requests from the industry. With this regulation, titled Rule 21 CFR Part 11, electronic records can be equivalent to paper records and handwritten signatures.

Such a regulation was important because electronic data handling offers noteworthy benefits in the manufacturing area and also for the huge amount of data generated in analytical laboratories. The use of fully electronic data acquisition, evaluation, management and archiving promises major improvements in the workflow.

The development of the rule was initiated around 1990 by the US Pharmaceutical Manufacturing Association (PMA, now Pharmaceutical Research and Manufacturing Association, PhRMA). Shortly after that the PMA and also the US Parental Drug Association (PDA) formed technical groups to address the subject. Industry representatives met many times with the FDA's task force under Paul J. Motise to determine how to accommodate paperless record systems under the current Good Manufacturing Practice (cGMP) regulations. The task force recommended publication of an “Advanced Notice of Proposed Rulemaking” (ANPRM) to obtain public comments on the issues involved.

The ANPRM was published in 1992. The FDA requested and received comments on a number of concerns. In 1994 the FDA published the proposed rule that incorporated many of the comments received to the ANPRM. Again, the FDA received comments from individuals, manufacturers and trade associations on the proposed rule. Finally, the rule became effective on Aug 20th, 1997 as 21 CFR Part 11. The rule is available on the FDA's websitehttp://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=58&showFR=1.

The new rule has high visibility and is the subject of discussion not only in the United States but also in many other countries. There are two reasons:

•  Use of validated existing and new computerized systems.
• Secure retention of electronic records and instant retrieval.
• User-independent computer generated time-stamped audit trails.
• System and data security, data integrity and confidentiality through limited authorized access to systems and records.
• Use of secure electronic signatures for closed and open systems
• .Use of digital signatures for open systems.
• Use of operational checks.
• Use of device checks.
• Determination that the persons who develop, maintain or use electronic systems have the education, training and experience to perform their assigned task

• ·The current process of generating signatures has to be evaluated
  (Who has to sign what and when?).
• New procedures have to be developed in the company and in the laboratory for limited authorized access to systems and data (Who can do what?).
•  Computerized systems used for implementation must be updated or replaced to ensure correct functionality.
• The manner of using and handling I.D. codes and passwords as a basis for “legally” binding signatures may have to be changed.
• New specialists, for example, “electronic archivists”, may be required.

• Exactly which records should be retained? (Especially when data has to be re-evaluated several times before it can be finally accepted).
• When do we need computer generated audit trails and how do we implement them? What should be tracked and after which entries does the user of the system have to confirm the entries as being logged?
• How do you bind electronic and handwritten signatures with the electronic records?
• What do we do with existing computer systems that don't have the appropriate functionality?
• What records should we archive: original electronic records, standard files such as PDF or XML, or can we make printouts and delete the electronic records?
• The FDA promotes risk-based compliance, what does this mean for Part 11?

Terminology

Electronic Records

Closed system

Open system

Electronic Signature

Digital signature

Biomeric

Hybrid systems

Meta data

Predicate rule

Requirements of the Rule

System Validation - 11.10(a)

1. Limited and authorized system access. This can be achieved by entering correct and incorrect password combinations and verifying if the system behaves as intended.
2. Limited access to selected tasks and permissions. This can be achieved by trying to get access to tasks as permitted by the administrator and verifying if the system behaves as specified.
3. Computer generated audit trail. Perform actions that should go into the e-audit trail according to specifications. Record the actions manually and compare and contrast the recordings with the computer generated audit trail.
4. Accurate and complete copies. Calculate results from raw data using a defined set of evaluation parameters (e.g., chromatographic integrator events, calibration tables etc.). Save raw data, final results and evaluation parameters on a storage device. Switch off the computer. Switch it on again and perform the same tasks as before using data stored on the storage device. Results should be the same as for the original evaluation.
5. Binding signatures with records. Sign a data file electronically. Check the system design and verify that there is a clear link between the electronic signature and the data file. For example, the link should include the printed name or a clear reference to the person who signed, the date and time and the meaning of the signature.

Accurate and Complete Copies - 11.10(b) and 11.10(c)

Accurate and Ready Retrieval - 11.10(c)

Limited Access - 11.10(d)

User-Independent Computer Generated Time-Stamped Audit Trails  -  11.10(e)

Operational System Checks - 11.10(f)

Use of Authority Checks  -  11.10(g)

•  Perform selected permitted tasks.
• Change a record.
• Electronically sign a record.

Use of Device Checks  -  11.10(h)

Requirements for Signed Electronic Records - 11.50

Linking records to Signatures - 11.70

General requirements for electronic signatures - 11.100

Electronic signature components and controls - 11.200

Controls for identification codes/passwords - 11.300

New Scope of 21 CFR Part 11

1. The record is required by a predicate rule, e.g., electronic batch records for 21 CFR Part 211 and electronic training records in 21 CFR Part 58.
2. The electronic records are used to demonstrate compliance with a predicate rule, e.g., electronic training records for compliance with 21 CFR Part 211.

1. When electronic records are used instead of paper.
2. When persons make printouts but still rely on the electronic records in the computerized system to perform regulated activities.
3. Records submitted to the FDA, under predicate rules (even if such records are not specifically identified in agency regulations) in electronic format.
4. Electronic signatures intended to be the equivalent of handwritten signatures, initials and other general signings required by predicate rules.

1. "That is, we do not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of Part 11 as explained in this guidance".
2. "However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules".
3. "Note that Part 11 remains in effect and that this exercise of enforcement discretion applies only as identified in this guidance".
4. "We will enforce all predicate rule requirements, including predicate rule record and recordkeeping requirements".

Validation

1. "The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements for validation of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30)".
2. "Although persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this guidance should not be read to impose any additional requirements for validation".
3. "We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements".
4. "We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity".
5. "For instance, validation would not be important for a word processor used only to generate SOPs".

1. Define risk categories for computer systems, for example, high, medium or low.
2. For each validation phase define the extent of validation for each risk level. For example, vendor assessment for a high-risk system may require a vendor audit and for medium and low risk systems just documentation on the vendor’s reputation and experience.
3. Assign each individual computer system used for GxP applications to a specific risk level.
4. Define validation steps for each individual system.

Audit Trail

1. "The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements related to computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30)".
2. "Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries".
3. "We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity".
4. "Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation".

Copies of Records

1. "Producing copies of records held in common portable formats when records are maintained in these formats".
2. "Using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML, or SGML)".
3. "In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record".
4. "If you have the ability to search, sort, or trend Part 11 records, copies given to the Agency should provide the same capability if it is reasonable and technically feasible".
5. "You should allow inspection, review, and copying of records in a human readable form at your site using your hardware and following your established procedures and techniques for accessing records".

Record Retention

1. "The Agency intends to exercise enforcement discretion with regard to the Part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period".
2. "We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time".
3. "FDA does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche, and paper, or to a standard electronic file format (examples of such formats include, but are not limited to, PDF, XML, or SGML)".
4. "Persons must still comply with all predicate rule requirements, and the records themselves and any copies of the required records should preserve their content and meaning".
5. "As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records".

Justification and Documentation of Part 11 Compliance

• Is the record required by predicate rule?
• Is a regulated activity dependent on the record?
• What is the company’s business practice?
• Have operators or supervisors access to data, can they change data and can such data impact product quality?

Applications

•  Does this software have to comply with Part 11?
• I am using a system xy from vendor xz, do I have to comply with Part 11?
• Our software does not have electronic audit trail, can I still use it for GxP applications?
• Can I use the Internet on the same computer where I run GxP applications?
• I print my GxP records right after acquisition without operator interaction, does Part 11 apply?
• I am using Excel templates as a sophisticated calculator. I don’t store records electronically. Does Part 11 apply?

Spreadsheet Applications

1. Perform the tasks using other software that better enable users to comply with regulations.
2. Change the way spreadsheets are developed and used and apply all functions built into the spreadsheet programs to increase the level of compliance. Develop a gap analysis and a corrective action plan. One action item can be step 3.
3. Evaluate and implement “add on” software packages that better enable users of spreadsheet programs to comply with regulations.
4. Use data management software with built-in Excel support and Part11/GxP functionality

1. Develop, communicate and enforce a company policy and master plan for spreadsheet calculations.
2. Prepare an inventory list with all computers that run spreadsheets.
3. Standardize “development and use” as much as possible.
4. Protect spreadsheets using built-in standard software and IT infrastructure (e.g., client/server).
5. Validate spreadsheet calculations.
6. Follow recommendations in Chapter 4 of this primer to define and document other Part 11 controls and extent of implementation.
   Document and justify your approach.

• Limited and authorized access to the spreadsheet through a secure server.
• The server directory is write-protected. Therefore the spreadsheet cannot be changed and saved on the same directory.
• The source directory, file name and revision number of the spreadsheet are printed together with the results. This demonstrates that only the original spreadsheet has been used.
• Cells for data entry are in green. This makes it easy for the user to only access cells for data entry.
• Cells that are not used for operators are protected and cannot be used.
• Cells with results that are in specifications are in green and cells with results that are out-of-specifications are in red.
• If there are out-of-specifications results operators get hints on what steps to take for corrective actions.
• Data input are validated for plausibility. Operators are alerted about input data that are outside allowed ranges. This reduces errors during data entry.
• Results are displayed in table and graphics form.
• All menu items have been removed. Operators are only able to start, print and exit.
• The entire spreadsheet is validated. The focus is more on checking limited access, retrieval of correct files and correct input and output locations than on verification of standard Excel calculations.

Scanning Paper to Electronic Files for Archiving and Easier Search

1. Develop a procedure for the entire process.
2. Validate the process to ensure “true copies”. This is best done by scanning a document that requires the highest resolution. Scan the document, print it and compare the printout with the original. Verify if the resolution is within previously specified acceptance criteria.
3. If an automated scanner is used, check if all pages have been scanned.
4. Convert the scan into a PDF file.
5. Save the PDF file with a high security option. This means users of the file can read but not change the file.

Internet

• Release of batch approvals.
• · Approval and release of validation lifecycle checkpoints and validation and reports.
• · Electronic artwork transfer.
• Remote approval of Certificates of Analysis at contract laboratories.
• Updates, exchange and approval of training records and SOPs.
• Administration of electronic patient records.
• Billing information exchange between healthcare provider and insurance.
• Tele Medicine (remote surgery, diagnostics, imaging).
• Drug prescription online.
• Electronic patient card.
• Centralized and local patient data administration.

• Confidentiality: The contents of the data should only be accessible by authorized persons.
• Integrity: The data should be exactly the same at source and destination computer.
• Authenticity: The authenticity of the sender of the data must be guaranteed.
• Non-repudiation: Sender and recipient of the data cannot deny to have sent or received the data.

• ·Training programs for theory and use of modern Internet technology.
• Security procedures.
• Procedures to protect computers from viruses.
• Procedures for downloading data from the Internet.

Program Logical Controller PLC

Networks

• Security: There are many connection points to the network. Connection through one port gives access to the entire network if there is no additional control to sections. Network security through physical and/or logical controls is of utmost importance. Technical controls should be validated and procedures enforced.
• Typically the network also supports high-risk applications such as back-up and archiving of high-risk records. Such applications should be validated and comply with Part 11.
• Loosing data or inaccurate file transfer is not only a business problem but also violates the requirement for trustworthiness. Therefore file transfer accuracy should be verified under normal and high load.
• Applications supported by the network should be validated. Examples include Electronic Batch Records (EBR) Systems, Enterprise Resource Planning (ERP) Systems and Laboratory Information Management Systems (LIMS). The test environment should include the same network components as the live environment.
•  Network infrastructure should be qualified. This mainly means good planning and documentation of the network through diagrams and inventory lists. It also means using a well-controlled procedures for changes.

• Specify network requirements.
  Specifications should include: network devices, software, computer hardware, computer peripherals and cables. Specifications are based on anticipated current and future use of the network.
• Develop a network infrastructure plan.
• Design network infrastructure and drawings.
• Select equipment and vendors for computers, NOS, network devices etc.
• Order equipment: computer hardware, software (OS, NOS), network devices, peripherals.
• Install all hardware devices according to design drawings and vendor documentation.
• Perform self-diagnostics, document hardware installation and settings (this completes the IQ part).
•  Document this as network baseline.
•  Make a back-up of installed software and network configurations. Whatever happens, it should be possible to return to this point.
• Test communication between networked computers and peripherals and access control including remote access control.
• Develop and implement rigorous configuration management and a change control procedure for all your network hardware and software. This should also include updates of system drawings if there are any changes.
• Before applying any system changes to a production environment they should be verified in a test environment to insure that they do not impact the intended functionality of the system.
• Monitor ongoing network traffic using a network health monitoring software. 

• Develop a validation plan and schedule using your validation master plan as a guideline.
• Specify application software that runs on the qualified network e.g., networked data system.
• Select and qualify the vendor.
• Install application software and perform IQ set-up (define and document configuration settings, verify “proper” software installation through installation verification routines)
• Verify correct functioning of this application software. Apply common computer validation practices for this.
• Testing should include network transactions under normal and high load. For this test you can decide to refer to verifications done as a built-in TCP/IP transfer protocol. The advantage is that this is built into the system and done on an ongoing basis. However, this is not 100% accurate as there are rare situations where the test does not work. To be on the safe side, you should use something like MD5 hash calculation routines based on 128 bit strings. Ask the vendor of your application software as sometimes such tests are built-in.
• Monitor ongoing performance of your application. The type of performance test depends on the application.
• For networks supporting high-risk applications monitor network connections and traffic using a network health monitoring software.

• Physical diagrams such as component locations and cabling.
• Logical diagrams like TCP/IP schemes and how components interrelate with each other.
• If dynamic IP addressing is used in the network scheme, a procedure should also be in place to indicate how this dynamic IP addressing is being utilized (including the procedure for sub-masking of the IP addresses). This will enable appropriate tracing of data or traffic flow, in case such a tracing is needed to prove the data integrity and security.

Implementation Summary

1. Form a task force with members from the IT department, if existing, QA personnel and laboratory staff.
2. Decide whether you intend to use electronic signatures. Report the decision to the FDA, for example: “This is to certify that "My Company" intends that all electronic signatures executed by our employees, agents or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures”.
3. Create awareness for Part 11 among all employees, especially on the accountability of electronic signatures. For example, people should sign something like this: “I understand that electronic signatures are legally binding and have the same meaning as handwritten signatures”.
4. Make an inventory of all computers in your organization or department that generate records required by a predicate rule or records that are used to demonstrate compliance with a predicate rule.
5. Develop a master plan and SOP for risk assessment.
6. Determine the risk category for each system.
7. Define a priority schedule to bring all computer systems into Part 11 compliance.
8. Develop a procedure on how to define Part 11 controls.
9. Define Part 11 requirements for each system.
10. Do a gap analysis to determine missing functionality and procedures for systems in 7.
    Develop an implementation plan to bring systems as identified in 7 into Part 11 compliance.
11. Estimate costs for the systems as identified in 7 and for the whole project.
    Develop procedures for limited system access to authorized individuals. This should include a password policy.
12. Develop procedures for implementing audit trails, to ensure data integrity and for long-term archiving with data retrieval throughout the entire retention period.
13. Get management support and funding for the project.

References

1. Code of Federal Regulations, Title 21, Food and Drugs, Part 11 Electronic Records; Electronic Signatures; Final Rule; Federal Register 62 (54), 13429-13466.
2. L. Huber, “Validation of Computerized Analytical and Networked Systems”, Interpharm Press, an IHS Health Group company, Englewood, Colorado, USA, ISBN 1-57491-133-3, approx. 250 pages, 2002.
3. GAMP 4 Guide: “Validation of Automated Systems”, ISPE, Brussels, 2001 (order from www.ispe.org).
4. Pharmaceutical Inspection Convention/ Pharmaceutical Inspection Co-operation Scheme (PIC/S): “Good Practices for Computerized Systems in Regulated GxP Environments”, 2003.
5. Labcompliance, Internet Quality Package, 2005.
   Order from www.labcompliance.com/books/internet.
6. FDA Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Applications (Draft February 2003, Final version August 2003). Available at http://www.fda.gov/cder/guidance/5667fnl.pdf.
7. L. Huber, “Risk-Based Validation of Commercial Off-the-Shelf Computer Systems”, Journal of Validation Technology, May 2005, Vol 11, No. 3.
8. Labcompliance Standard Operating Procedure; S-252. “Risk-Based Validation of Computer Systems”. Order from www.labcompliance.com/books/part11.
9. Labcompliance, Macro & Spreadsheet Quality Package, 2003.
   Order from www.labcompliance.com/books/macros.
10.  Labcompliance, Network Quality Package, 2005.
    Order from www.labcompliance.com/books/network
11. Labcompliance, “21 CFR Part 11: Electronic Records and Signatures”, Frequently Asked Questions. Order from www.labcompliance.com/books/part11