EQMS for electronic records and signatures: FDA Title 21 Code of Federal Regulations (CFR) Part 11

It's hardly surprising many life science companies find complying with the FDA's Title 21 CFR Part 11 expensive and impractical. 

Initially attracted by low implementation costs, they get by using 'single use' applications which are clearly not fit for purpose.

Tools like SharePoint, Jotform and outdated lotus notes systems are still widespread. 

When using these systems, quality professionals spend their days manually checking records, verifying audit trails, validating the system, chasing departments and carefully coordinating an ever-expanding portfolio of software applications and compliance records.

When submission time comes, they cross their fingers, hoping the auditor will find everything they want to see.  

"I'd feel anxious everything wasn't where is was supposed to be."

Part of the reason life science companies have been slow to adopt integrated electronic quality and compliance management systems is the initial resource investment to validate a system. 

EQMS starts from £12,000 for a year and takes around two months to properly implement. 

When investors and management teams want to get a product to market, they don't want to wait. Management become focused on the new device or drug which can save or enhance people's lives, and this means compliance checks and regulatory records is something we can fix later.

But implementing an integrated electronic quality management system is significantly less expensive, more practical and less time consuming than your quality managers spending precious working hours completing basic administration work.

Or worse still, risking a rejected submission

But I don't need to tell you this. 

That's why you're here.

You want to know the details of exactly how EQMS helps you to comply with FDA Title CFR Part 11

I asked Kate Armitage, Head of Quality Assurance at Qualsys, to share how our product is designed to help you to comply with FDA Title CFR Part 11. 

Most quality and compliance managers are getting more savvy about the tools available which are fit for purpose and promote time saving efficiency - so they can focus on the improvement rather than administration. 

Governance risk and compliance training sheffield Kate

General

Part 11 reference

Requirement

Comment

 
 

11.10 (a)

The system is validated. The scope of validation includes tests and checks, which demonstrate compliance with all applicable parts of FDA Title 21 CFR Part 11.

The core system goes through development validation testing. Test records are retained.

To comply with the regulation, you must also undertake validation testing once installed and configured.

 

11.10 (i)

Personnel who developed the system are properly trained and have suitable experience.

 

Qualsys has an industry-leading employee training and development program. Employee on-boarding and recruitment are all assessed, and competency gaps monitored. 

 

11.10 (I)

Personnel who maintain the system are properly trained and have suitable experience. 

 

Qualsys provide training, advice and ongoing support. 

 

11.10 (I)

Personnel who use the system are properly trained and have suitable experience.

Qualsys provide validation training to ensure your team are competent to complete internal tests. 

 

 

 

Documentation

11.10 (k)

(1)

Adequate documentation is available to describe the maintenance of the system. 

Manuals, videos, guides and ongoing support is available to help users learn how to configure, use and maintain the system.

 

11.10 (k)

(2)

Controls are in place to ensure only authorised users see documentation.  

Advanced control permissions ensure users are only able to see and use specified functionality. 

11.10 (k)

(2)

System documentation is produced and maintained under a revision control procedure.

All documentation is produced and maintained under a strict revision control procedure and documented in our central management system. 

 

 

System security 

11.10 (d)

System access is limited to authorised individuals.

Access to the system is dependent on the user being registered with a unique username and password.

11.10 (g)

Authority checks are in place to restrict specific system functions to authorised individuals.

EQMS has rich access management functionality based on permissions.

Access to different areas of system functionality and data sets is provided subject to individuals and groups being given permissions by system administrators.

11.10 (d)

An approved procedure which describes the administration of security is available which includes:

Add new user, assign user to groups/roles, change user privileges, deactivate user, force reissue of password

Administrator guidance documents which describe how to perform these tasks in the system is provided by Qualsys and training is given.

It is the responsibility of the customer to define and document responsibilities and approvals processes.

11.10 (d)

To ensure the uniqueness of user IDs, users should never be deleted from the system. Instead the IDs should be deactivated and retained.

Users are made inactive within EQMS and retained records. 

 

Operational checks 

11.10 (f)

The system forces a permitted sequencing of steps and events as appropriate.

This is system independent and an enforced sequence of operations may not be required.

Where permitted users specify sequenced workflows then the system enforces the sequence of events and the individuals mandated to complete them

 

Device checks

11.10 (h)

Device checks are used to determine the source of data or operational instruction.

This is system independent and device checks may not be required.  E.g. a standalone system is unlikely to require device checks.

The system determines the source of data by user authentication for each session. Users may be device independent

 

Electronic records:

11.10 (b)

11.10 (e)

Accurate copies of electronic records (including audit trails) can be made in both paper and electronic form.

This is standard functionality within EQMS. 

11.10 (b)

An approved procedure, which describes the process of making these copies, is available.

The procedures for downloading copies of records from the system are described in system guidance documentation. Access to records is controlled and only authorised individuals may access the required functionality and data.

11.10 (e)

Electronic records (including audit trails) are backed up on a regular basis.

Where Qualsys is responsible for system hosting, backups are taken utilising a fast, affordable, multi-platform and reliable Continuous Data Protection and point in time recovery solution. 

All backups are by default stored to physically redundant, secure and remote data centre facility.

All backups are by default stored encrypted at rest using approved secure techniques (with AES-256 encryption).

Full Backups are taken on a 4-hourly basis for both the SQL and application servers. These have a retention period of 12 weeks. Additional custom backups can be arranged if required.

If Qualsys do not provide system hosting services then backup is a customer responsibility.

11.10 (c)

An approved procedure, which describes the backup process, is available.

Where Qualsys is responsible for system hosting, an approved procedure is in place and is regularly reviewed as part of the ISO 27001:2013 certification.

If Qualsys do not provide system hosting services then Backup is a customer responsibility.

11.10 (c)

11.10 (e)

Electronic records (including audit trails) can be archived for long term storage and are fully retrievable.

This should be designed to retain the record for the period required by the predicate rule.

No closed (completed and approved) records may deleted from EQMS.

Records may be archived and can be retrieved at any time by authorised users.

11.10 (c)

An approved procedure, which describes the archive and restores process, is available.

The procedures for downloading copies of records from the system are described in system guidance documentation. Access to records is controlled and only authorised individuals my access the required functionality and data.

It is the customers responsibility to define and maintain procedures and responsibilities which determine which users are granted the required permissions.

11.10 (c)

The retention period for the electronic records created by the system are clearly defined.

The default retention period is indefinite.

 

Audit trails

11.10 (e)

Creation, modification and deletion of any electronic record covered by the rule results in the creation of an entry in an audit trail.

EQMS has rich audit trail functionality as standard.

11.10 (e)

The audit trail is generated automatically by the system.

 Audit trails are automatically generated by the system

11.10 (e)

Each audit trail entry consists of:

1.  Operator ID

2. Action performed

3. New and previous value if the action is modified or updated 

4. Time and date action occurred 

 Each audit trail consists of operator ID, action performed, new and previous values and time / date stamped. 

Here is an example: Audit trail

11.10 (e)

An approved procedure, which describes the method of maintaining the accuracy of system clocks, which perform time stamping, is available.  This should include the regular synchronisation of system, clocks if appropriate.

All system date / time functionality is derived from the system server clocks and is described in MS O/S guidance.

Where Qualsys provides system hosting the O/S administration procedures are maintained and reviewed regularly as part of ISO 9001 certification.

Where Qualsys is not the hosting provider then O/S administration is the responsibility of the customer.

 

 

Electronic Signatures and general requirements

11.10 (j)

A written policy is available that holds individuals accountable and responsible for actions initiated by their electronic signature.

Records are available to confirm that all electronic signature users have read and understood this policy.

Where required, electronic signatures are enforced by the system and include a warning to users that their electronic signature is being recorded and that they are accountable for the actions they are signing.

By completing the electronic signature, the user is confirming that they have read and understood the policy.

 

Signature record linking

11.70

Each electronic signature is linked to its associated electronic record to ensure that the signature cannot be excised, copied, transferred or in any way falsified by ordinary means.

There must be no access to electronic signatures other than read only via the standard system functions.  Any other access to records containing signatures must be restricted.  Any legitimate access to such records (e.g. database administrator) must be restricted by a formal written procedure.

The system ensures that complete record integrity, including signature components, is maintained and cannot be tampered with. Access is read-only for system users.

Where Qualsys provides system hosting then administration procedures are in place and reviewed as part of our ISO 9001 certification.

Where Qualsys does not provide system hosting then Db Admin is the responsibility of the customer.

 

Electronic signature issue

11.100 (a)

Each electronic signature is unique to one individual and shall not be reused by or reassigned to anyone else.

Electronic signatures utilise the unique user ID and password combination.

It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user ID’s and password disclosure by users are not permitted.

11.100 (a)

No shared/group accounts are defined as electronic signatures.

It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user ID’s and password disclosure by users are not permitted.

11.100 (b)

The identity of individuals must be verified prior to the use of an electronic signature

Users are required to resubmit their passwords for each signature.

11.100 (a)

11.100 (b)

11.100 (c)

An approved procedure which describes the administration of electronic signatures is available and includes:

·        Issue of electronic signatures

·        Withdrawal of electronic signatures

·        Loss management procedures

The system automatically enforces the application and recording of electronic signatures.

It is the responsibility of the customer to ensure that those users using electronic signatures in each instance have the competence and experience to do so.

 

Non-biometric signature use

11.200 (a)

(1)

The electronic signature consists of two distinct identification components such as:

·        User ID/Password combination

·        Token (e.g. swipe card)/password combination

User ID / Password combination are utilised.

 

11.200 (a)

(1) (i)

The first signing in a single period of controlled system access must use both signature components.

Each user login session requires both components.

Each electronic signature during a login session requires password confirmation.

11.200 (a)

(1) (i)

Subsequent signings in the same session may use one component only.  This is an optional requirement but if used then the component must be the secure part i.e. the password

Each user login session requires both components.

Each electronic signature during a login  session requires password confirmation.

2.5.1.5

The electronic signature must only be used by the genuine owner

The system automatically validates user identity.

It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user ID’s and password disclosure by users are not permitted.

2.5.1.6

The password component of an electronic signature is not visible to any system user including the administrator.

All passwords are stored in encrypted format and are not visible to any users.

 

How life science companies across the globe use EQMS to get products to market and maintain compliance

Gxp compliance software

 

Topics: Governance Risk and Compliance News, FDA, GxP Pharmaceutical Regulation, Good Distribution Practice, Medical Device

Share your thoughts on this article