Beruflich Dokumente
Kultur Dokumente
Meeting Part 11 compliance remains challenging; eventually Part 11 will be viewed as a significant, impelling
force to drive companies from a paper-records environment to a more efficient electronic-records environment.
Although it’s understood that merely purchasing a chromatography data software package that incorporates
thorough Part 11 technical controls does not make one fully compliant, complete technical controls should
be inherent in any system that is used in a regulated environment. The technical controls for 21 CFR Part 11
compliance are built into Empower 2 Software.
21 CFR Part 11 has recently gained momentum within • Retrieve machine-readable data on demand within
FDA field operations as the enforcement of Part 11 minutes via an online storage device
has increased. The rule, originally proposed by the • Establish traceability between the human-readable
pharmaceutical industry to reduce the burden of data and the machine-readable data
paper in 1991, became effective in August of 1997.
• Integrate Empower 2 Software with other applications
Summary of Waters Strategies for Compliance implemented for computer systems. This publication
mainly focuses on the technical controls required by
Empower 2 Software uses Oracle as the underlying
Part 11 that are provided by Empower 2 Software for
relational database, providing a robust and scalable
trustworthy and reliable scientific data management.
architecture. Empower 2 Software meets all of the
technical requirements for electronic records as Although this paper addresses key technical controls
prescribed by 21 CFR Part 11. The current version of from 21 CFR Part 11, it is not intended to cover
this product helps any regulated company meet the core everything that Part 11 compliance should encompass.
requirements of Part 11 with a clear plan and strategy To satisfy this requirement, persons must, among other
for full compliance, including electronic signatures. things, employ procedural and administrative controls
that oversee conformance to Part 11 requirements.
The following sections describe the key recommendations
of Part 11 and how Empower 2 Software aids in
compliance with the described technical controls. Electronic Records—Applicability and Definition
Per 21 CFR Part 11, the definition of an electronic
Scope of 21 CFR Part 11 (§ 11.1): record is, “any combination of text, graphics,
The general scope of Part 11 states, data, audio, pictorial, or other information
“The regulations in this part set forth the representation in digital form that is created,
criteria under which the agency considers modified, maintained, archived, retrieved, or
electronic records, electronic signatures, and distributed by a computer system.”
handwritten signatures executed to electronic 21 CFR Part 11 applies to all electronic records
records to be trustworthy, reliable, and used to meet GxP (GMP, GCP, GLP) requirements,
generally equivalent to paper records and including, but not limited to, systems for:
handwritten signatures executed on paper.”
• Batch records, SOPs, test methods, specifications
As the pharmaceutical and biotech industries and policies
move from paper to more flexible electronic data
• Inventory records
and information environments, Part 11 and other
regulations will ensure continued data integrity in • Calibration and preventative maintenance records
electronic formats. Overall, it is believed that more • Validation protocols and reports
secure and trustworthy data will ultimately result from
• LIMS systems
Part 11 compliance in the life science arena.
• Chromatography data systems
In addition to enhancing the integrity of data required
to be maintained by the predicate rules (GxP regulates • Customer-complaint files
the Federal Food, Drug and Cosmetic Act, the Public • Adverse event reporting systems
Service Act or any FDA regulation except for Part
• Automated document management systems
11), Part 11 also paves the way for full electronic
submissions to the FDA.
The Rule says: “For records required to be Controls for Closed Systems (§ 11.10):
maintained but not submitted to the agency, Essentially, these are the measures designed to ensure
persons may use electronic records in lieu the integrity of system operations and electronic
of paper records or electronic signatures in records stored in a closed system.
lieu of traditional signatures, in whole or
Section 11.3 indicates that a, “Closed System
in part, provided that the requirements of
means an environment in which system
this part are met…. For records submitted
access is controlled by persons who are
to the agency, persons may use electronic
responsible for the content of electronic
records in lieu of paper records or electronic
records that are on the system.” By definition,
signatures in lieu of traditional signatures, in
Empower 2 Software is a closed system.
whole or in part.”
The Rule further states that, “Persons who use
Measures to ensure the trustworthiness of electronic
closed systems to create, modify, maintain,
records and electronic signatures consist of
or transmit electronic records shall employ
administrative, procedural and technical controls
procedures and controls designed to ensure the
authenticity, integrity, and, when appropriate, when considering that the FDA considers paper
the confidentiality of electronic records, and to printouts of electronic records not suitable substitutes
ensure that the signer cannot readily repudiate for those electronic records.
the signed record as not genuine.” Archiving implies that electronic information is stored
Some of the procedures and controls required to and then moved from active state to inactive state.
maintain record integrity in closed systems include: Upon archiving, records must be protected to ensure
• Validation (§11.10(a)) record access and usability for the duration of the
established record retention period. Controls must be
• The ability to generate accurate and complete
implemented to ensure that archiving preserves the
copies of records in both human readable and
trusted status of the record and allows for long-term
electronic form suitable for inspection, review and
access and use.
copying by the agency (§11.10(b))
Secure archiving requires:
• Protection of records to enable accurate and
ready retrieval throughout the records retention • Moving data to a secure storage area that is still
• Limiting system access to authorized individuals • Maintaining the integrity of the data during a move
• The use of computer generated, time-stamped • Maintaining data integrity for the duration as
audit trails to independently record the date and defined in applicable record retention policies
time of operator entries and actions that create, • Technology that preserves integrity of the record
modify or delete electronic records. Record before, during and after a data migration activity
changes shall not obscure previously recorded
• Ensuring that the audit trail is archived
information. Such audit trail documentation will
be retained for a period as least as long as that • Technology and procedures that permit data to be
required for the subject electronic records and retrieved and copied, in both electronic and human
will be available for agency review and copying readable form, throughout the life of the data
(§11.10(e))
It is further stated that, “Persons who use open The Rule does, however, require signature
systems to create, modify, maintain, or manifestations to contain three key pieces of metadata.
transmit electronic records shall employ It is stated that “Signed electronic records
procedures and controls designed to shall contain information associated with
ensure the authenticity, integrity, and, as the signing that clearly indicates all of the
appropriate, the confidentiality of electronic following: (1) The printed name of the signer;
records from the point of their creation to (2) The date and time when the signature
the point of their receipt. Such procedures was executed; and (3) The meaning (such
and controls shall include those identified as review, approval, responsibility, or
in §11.10, as appropriate, and additional authorship) associated with the signature.
measures such as document encryption (b) The items identified in paragraphs (a)(1),
and use of appropriate digital signature (a)(2), and (a)(3) of this section shall be
standards to ensure, as necessary under the subject to the same controls as for electronic
circumstances, record authenticity, integrity, records and shall be included as part of any
and confidentiality.” human readable form of the electronic record
web-based system used for transmitting data. Subpart Also, the electronic signature is subject to the same
B, §11.30 states that the controls for closed systems
also apply to open systems. However, in order to
maintain the authenticity, integrity and confidentiality
of electronic records that are transmitted over an open
system, tighter controls such as digital encryption
would be required. Empower 2 Software is not an
open system.
21 CFR Part 11 does not mandate electronic needed for an e-signature manifestation.
controls as e-records and must be included in any record by ordinary means.”
human- readable form of the record such as display or Linking the signature to the original electronic record
printed copies. is especially critical when a printout or an electronic
Empower 2 Software provides the ability to achieve copy of the e-record becomes orphaned from that e-
compliance with this part of the Rule. The software record. The signature must not be lost.
captures and displays the three pieces of metadata of Empower 2 Software provides the ability to achieve
which a signature manifestation should consist. The compliance with this part of the rule. The software
Empower 2 Software e-signature option displays the full enables non-breakable linking of electronic signatures
printed name of the signer, the date and the time that the to electronic records. The Empower 2 Software
signature was executed and a meaning for the signature e-signature information is stored in the Oracle
(configure meanings in the Project Manager for review, relational database and is permanently linked to
approval, authorship, responsibility, etc.). These are all the record itself. It is not possible to excise, copy or
required elements when a record is signed. transfer the signature to another unsigned document.
For trustworthy signed electronic records, electronic ELECTRONIC SIGNATURE COMPONENTS
signatures should be unique to one individual and AND CONTROLS (§ 11.200):
should not be reused or reassigned
Electronic signatures may be either non-biometric or
to anyone else:
biometric. For non-biometric electronic signatures, two
• Empower 2 Software prevents re-allocation forms of identification are required. These can be any
of e-signatures and prevents deletion of any of the following:
information relating to a signature once it has
• User ID and password
been used
• Card key and password
• Empower 2 Software does not allow signature
information to be removed from an electronic • Two passwords
record once it has been applied The Rule defines Biometric as, “A method of
verifying an individual’s identity based on
measurement of the individual’s physical
Signature/Record Linking (§ 11.70):
feature(s) or repeatable actions(s) where
Section 11.70 ensures the integrity of either electronic those features and/or actions are both
or handwritten signatures executed to electronic unique to that individual and measurable.”
records by specifying that, “Electronic signatures
Some familiar examples include, voiceprints, finger/thumb
and handwritten signatures executed to
print recognition, retinal scans or any device or method
electronic records shall be linked to their
designed to ensure use only by the genuine owner.
respective electronic records to ensure that
the signatures cannot be excised, copied, or “Electronic signatures that are not based
otherwise transferred to falsify an electronic upon biometrics shall:
Electronic Signatures, General §11.200(a)(1) System shall ensure that the first
Requirements (§ 11.100): signing in a controlled session requires both
biometrics shall be designed to ensure that • Within Empower 2 Software, each time you
they cannot be used by anyone other than sign a report in a non-contiguous fashion, both
their genuine owners.” the username and password are required for
• Provides the ability to achieve compliance with • During non-continuous access, both components
this part of the Rule are required for each signing. See §11.200(a)(1)
Figure 8. Empower 2 Software allows you to create Such controls shall include:
a unique sign-off policies. A. Maintaining the uniqueness of each combined
identification code and password, such that no
two individuals have the same combination of o The user account is disabled, requiring an
identification code and password. administrator to unlock
B. Ensuring that identification code and password o Notification is sent to the Security Monitor
issuances are periodically checked, recalled or and the Audit Trail
revised (e.g., to cover such events as password o This feature cannot be disabled
aging).
Denmark 45 46 59 8080
WATERS CORPORATION
34 Maple St.
Milford, MA 01757 U.S.A.
T: 508 478 2000
F: 508 872 1990
www.waters.com