21 CFR Part 11 compliance guide for the Morphologi software

This note details the requirements of 21 CFR Part 11and describes how the Morphologi software meets these requirements.

Introduction

This note details the requirements of 21 CFR Part 11, hereinafter referred to as "the Rule" and describes how the Morphologi software, referred to as "the software" meets these requirements.

If additional procedural steps are required to achieve compliance, these are highlighted with a document icon. Within this document, quotes from "21 CFR Part 11 - Final rule" are shown in boxes.

This document may also be used to understand how the Morphologi software package complies with Annex 11 of EU GMP guidelines.

Sec. 11.2 Implementation.

For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met.

If the electronic records produced by the software are required for inspection by the FDA, such as a batch quality check, then the record may be kept in an electronic form if the requirements of the Rule are met.

The software can satisfy most of the requirements of the Rule.

For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that:

  1. The requirements of this part are met; and:..

  2. The document or parts of a document to be submitted have been identified in public docket No. 92S-0251 as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific centre, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission.

If the records produced by the software are required for submission to the FDA, as part of a new drug application for example, then the data must be submitted in a format acceptable by the FDA.

The software can export data in ASCII format that is acceptable to the FDA. It can also be set to save results as portable document files (.pdf files) using Adobe Acrobat ®. These files can be digitally signed and can form part of a submission.

Subpart B - Electronic Records

Sec. 11.10 Controls for closed systems.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

The Morphologi software has been numerically validated and a Right to View the Lifecycle Documentation is available to users as a part of a chargeable audit.

A generic Vendor Audit Question and Answer document can be provided as part of a chargeable audit to help with Vendor Qualification and validation of the software. Rights to View the software Source Code and the lifecycle documentation are also provided as part of a chargeable audit under a non-disclosure agreement.

An Installation Qualification (IQ) and Operational Qualification (OQ) are available as a separate stand-alone element.

The software does not support invalidating a measurement record. If a measurement record is to be considered as invalid, a written procedure must be implemented to record the measurement record as such.

The measurement records are stored in a binary format and alteration using a third party utility would be difficult and can be considered unreasonable. If a record is edited from within the application, the original record is not obscured and a new one with the altered data is created and appended to the record file.

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

In addition to normal printed output, the software can export data in ASCII form for inspection by the FDA.

Protection of records to enable their accurate and ready retrieval throughout the records retention period.

The protection of the electronic records requires users to implement some form of backup procedure to copy the records onto a long-term storage medium such as magnetic tape or CD-ROM.

The software does not provide an integral solution for this requirement because each user has different needs as well as different peripherals. Some users may choose to backup to a central data server using a network, others may prefer to backup at the instrument using a Tape Streamer or a CD-Writer. Since the software runs on Microsoft Windows™ all of these options are available from third parties. Malvern Instruments can provide systems with archival devices fitted if required.

(a) Limiting system access to authorised individuals.

The FDA does not specify the method for limiting system access to authorized individuals. The security applied depends on the sensitivity of the electronic record and the possible effect on public health of alteration of the record. The software has an integrated authority-checking system that can be further enhanced by using the security system of Microsoft Windows™.

In all cases, a written procedure will be required to detail those authorized to access the system and how access restriction is implemented and maintained.

Users should note that this section calls for

"use of transaction safeguards to prevent unauthorised use of passwords and/or identification codes and to detect and report in an immediate and urgent manner any attempts at their unauthorised use to the system security unit and, as appropriate to organizational management."

Reference to paragraphs 133 to 135 of the Preamble to the Rule will show that the FDA expects the required reporting to have the same urgency as a fire alarm so that a would be intruder can be apprehended at the computer terminal by security personnel.

To our knowledge, no supplier has succeeded in providing a solution that fully satisfies this requirement in the spirit intended.
Until a suitable technological solution is available, this requirement must be satisfied by procedural means.

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

The software incorporates audit trail information in the measurement file. In this way, it can not be separated from the data.

The audit trail is computer-generated and can not be altered. When correctly configured, the software prevents record deletion and, once created, measurement data can not be obscured.

The software contains an additional audit trail facility that records system operations. These audit trail files can be displayed within the application and can be exported as comma delimited text files to other applications such as Microsoft Wordtm for examination by the FDA or other interested parties.

These files record all actions that create, modify or delete records as well as log-on, log-off actions and lock-outs after unsuccessful log-in attempts.

To help viewers, each log item in the file is prefixed by an icon to indicate whether the event is associated with:

A security event: mrk1059 icon1
The creation or modification of a record:  mrk1059 icon2
The creation or modification of an SOP:  mrk1059 icon3

These files can be set up to be automatically created on a daily, weekly, monthly, 3-monthly, 6-monthly or annual basis to suit user's protocols and work rates.

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

The preamble to the final Rule explains that this requirement applies only when the sequence of operations will directly affect the manufacturing process. This part of the Rule is not applicable to the measurement process. It could be applicable when a measurement is made in the manufacturing process but this would be beyond the scope of this document and will already be covered by users' manufacturing Quality SOPs.

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

In all cases, some form of documentary evidence of what constitutes authority is required. If logical access restrictions are used as authority checks, these must be detailed along with details of the management and maintenance of access restrictions.

Logical access restrictions are those resident in Microsoft Windows™ and those resident in the software itself.

When the 21 CFR Part 11 features of the software are enabled, the software has the same set of authority checks as the Microsoft Windows™ operating system.

The key features included are:

  • Ability for users to log in and out of the system without closing down the operating system. This is just one of the benefits of replicating the Windows security features in the software.

  • Enabling a continuous use check to automatically log out a user after a predetermined period of mouse or keyboard inactivity.

  • Enforcement of password ageing where, after a pre-determined period, users must change their passwords.

  • Enforcement of a minimum password cycle where users must cycle through a predetermined number of different passwords before returning to a favourite. Up to 32 passwords can be insisted on. However, it is prudent to insist on a number that can conveniently be remembered by users without them having to resort to the use of Post-It notes or other visible reminders that would defeat the original purpose of the security measures being taken.

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

The most significant device check, when a measurement is made, is the physical connection to the instrument. For all other forms of data input, the source is not critical and there are no requirements for device checks.

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

The preamble to the Rule states that this regulation is aimed at the development of applications within the regulated company, not external vendors such as Malvern.

However, it is worth recording that Malvern Instruments is an ISO 9001: 2000 accredited company and complies fully with this requirement.

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

Companies must have written policies that inform the instrument operators that electronic signatures carry the same legal obligations as their written signatures. This may be part of the company handbook or be a specific policy for the users of the instrument and the associated software.

(k) Use of appropriate controls over systems documentation including:

(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

(I) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Point 93 in the preamble to the Final Rule states that the documentation controls

"...apply to systems documentation that can be changed by individuals within an organization. If systems documentation can be changed only by a vendor, this provision does not apply."

The system's documentation includes any manuals shipped with the product and any online help that the software provides. Your company must have written policies that detail the controls to be applied to these documents. These can be as general as a statement that those individuals authorized to use the instrument have full access to the documentation, or as specific as restricting access to the documentation to named individuals.

The software provides online help but does not support any method of restricting access to this help to named individuals. If this is required, the only available solution is to print out a paper copy of the help file and apply controls to the printed document. The original help file can then be removed from the system to prevent unauthorized access. This action should not be required since no sensitive information, such as 21 CFR Part 11 operations, are included in the online help.

Sec. 11.30 Controls for open systems.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in Sec. 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

The 21 CFR Rule 11 requirements for operating in open environments specify the use of Digital Signatures and encryption. The enabling technologies are still young and there is a high degree of uncertainty as to which mechanism will become the dominant standard. For this reason, no Malvern products currently support operating in an open environment.

If a report is printed in PDF format, the tools available with Adobe Acrobat® can be used to make the PDF file suitable for transmission in an open environment.

Sec. 11.50 Signature manifestations.

The software can use the Adobe Acrobat® package to provide support for electronic signatures. Using the Acrobat® package to produce a PDF report of the measurement data allows you to make use of the advanced digital signature and security features provided by Adobe. If a your organization has an integrated electronic signature solution, such as VeriSign™, this method is compatible with all of the industry standard solutions. PDF is one of the preferred submission formats of the FDA and has numerous advantages over other electronic formats.

For details of how Acrobat® can be used to provide a digital signature solution please see Adobe's product literature.

"(l) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

1) The printed name of the signer;

2) The date and time when the signature was executed; and

3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

When correctly configured, the Acrobat® digital signature solution makes provision for all of these requirements. Users should have written policies detailing the Acrobat® configuration requirements specific to their environments.

(m) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The digital signatures applied by Acrobat® are printed on the reports and held in the PDF file.

Sec. 11.70 Signature/record linking.

"Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means."

The digital signatures applied by Acrobat are printed on the reports and held in the PDF file. The Adobe Acrobat® PDF file is linked to the original electronic record by information automatically printed on the report by the instrument software.

Subpart C - Electronic Signatures

To provide the most flexible solution to the provision of electronic signatures, the Applications all use the features of Adobe Acrobat®. This allows for a record keeping and approval process similar to current paper-based solutions, with the added convenience and power of an electronic format. Where your current SOPs require a printed document and a manual signature, you may simply use a suitably configured Adobe PDF file and electronic signatures.

When correctly configured for compliance, the instrument software can produce a suitably named PDF file at the end of an SOP measurement ready for signature.

Sec. 11.100 General requirements.

If you elect to use electronic signatures rather than hand-written ones, your organization must have written policies concerning the use of electronic signatures to satisfy the following requirements:

(n) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

(o) Before an organisation establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organisation shall verify the identity of the individual.

(p) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.

(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.

Sec. 11.200 Electronic signature components and controls.

The instrument software uses Adobe Acrobat™ to provide electronic signatures. The requirements of this section apply only to the Acrobat product and should not be confused with the authority checks provided by the instrument software's own security system.

The instrument software has no integral facility for electronic signatures. If electronic signatures are to be used, we recommend the Adobe Acrobat package. This package provides all the facilities required by this section of the Rule.

(q) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

(r) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

The use of Biometrics in security systems is not common at this time.

Sec. 11.300 Controls for identification codes/passwords.

Adobe Acrobat™ is used to provide electronic signatures. The requirements of this section apply only to the Acrobat product and should not be confused with the authority checks provided by the instrument software.

The instrument software has no integral facilities for the provision of Electronic Signatures. If Electronic Signatures are to be used, we recommend the Adobe Acrobat™ package. This package provides all the facilities required by this section of the Rule.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password ageing).(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Appendix 1: Definitions (21 CFR 11.3)

Electronic record

"Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system."

If your computer system stores data to a "durable medium" it is creating an electronic record. Hard disks, floppy disks, CD-ROM, tape, flash memory, and zip drives are all forms of durable media. A good way to determine whether your record is likely to need to comply is to turn off the power of the computer. If the record is still there when you next turn the power on, it probably needs to comply. If the FDA audits your company, this data could fall under the remit of the Rule.

However, in the latest Guidance, published in August 2003, the FDA states that Part 11 will apply to:

"Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format.

On the other hand, records (and any associated signatures) that are not required to be retained under predicate rules, but that are nonetheless maintained in electronic format, are not part 11 records.

We recommend that you determine, based on the predicate rules, whether specific records are part 11 records.

We recommend that you document such decisions."

Closed system

"Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system."

There are three mechanisms that may be used to create a closed system:

Physical access to the computer and measurement system can be restricted to those responsible for the content of electronic records. If physical access is restricted to authorized key holders, the system can be considered to be a closed system. In practice this is difficult to achieve. Control of the keys is difficult to administer and it would be very difficult to prove conclusively in court that no other individuals had access.

Logical access to the instrument software can be restricted by a compliant security system. This is a more satisfactory solution because it is more flexible and is simple to manage. Only those individuals responsible for the system are able to access the electronic records. The weakness of this mechanism is that the electronics records are, by definition, stored on a durable medium. If access to this medium is possible by means other than the software used to generate the records, such as a file editor, then no guarantee can be given that the records have not been altered. To resolve this problem, access to all durable media must be restricted by the Operating System security.

Logical access to the operating system must also be restricted to those responsible for the content of the electronics records. The operating system security must comply with the requirements for a closed system.

All of the operating systems supported by the instrument software can be configured to be closed systems.

Open system

"Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system."

Any computer that is not running on a secure operating system is open. Versions of Windows™ prior to Windows NT™ do have passwords but these are easily by-passed by simply pressing Cancel at the login prompt. MS-DOS has no built-in security.

The FDA requirements for open systems are quite stringent and depend on Digital Signatures to verify that electronic records have not been altered. It is for this reason that most suppliers are currently recommending the use of a closed system.

Hand-written signature

"Hand-written signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark."

It is possible to scan a signature into a digital form so that it may be printed on reports. It could be argued that using a pre-scanned copy of a written signature does not constitute a hand-written signature, as the act of signing is not preserved for each successive application. A scanned image of a hand-written signature can be attached to an electronic signature but since the electronic signature regulations allow the plain text of an individual's name, this does not add real value and is not normally required.

Electronic signature

"Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature."

In all practical applications, an electronic signature is the combination of a user identifier and a password known only to that individual. With the right controls in place, this is very secure, but like all security systems, poor control will weaken the security. You may have a very good lock on your front door but if you leave the key under the doormat, it is not secure. It is for this reason that the FDA stipulates very specifically the controls that must accompany Electronic Signatures for them to be acceptable as a means of identifying an individual.

Most of these controls are procedural and must be implemented by you. It is for this reason that it is not possible to say unconditionally that any software package will solve your 21 CFR Part 11 compliance problems outright. Only in conjunction with compliant procedures will compliance be achieved and an FDA audit passed.

Digital signature

"Digital signature means an electronic signature based upon cryptographic methods of originator authentication computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified."

This term is easily confused with Electronic Signature but the two are very different. The key difference is that Digital Signatures rely upon some form of Cryptography to guarantee that the signed record has not altered since it was signed. The current solutions often rely upon a trusted third party to identify the signer.

An example of Digital Signatures in use is Windows Explorer™. If you set the security settings to only accept code from a trusted source, you will see Digital Certificates from the web sites. The code that Explorer downloads will be Digitally Signed by the vendor. The signature is then sent to a trusted third party and checked. If the signature matches, the code is accepted and run.

Biometrics

"Biometrics are a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable."

At the time of writing, the field of Biometric identification is immature and research into these systems is still in the early stages. Solutions tend to be expensive and impractical for all but the most secure environments.

Login

Not registered yet? Create an account