Weighing Systems and 21 CFR Part

11

Nuisance or Opportunity?
ETTLER TOLEDO

Quality Management
 Agenda

 Definitions
 Electronic Records
 Electronic Signature

 Open System versus closed System

 Content of 21CFR Part 11

 Example with LabX software
ETTLER TOLEDO

Quality Management
 Where does the name come from?

 Title 21
 Covers GCP, GLP and GMP (GxP) for the
pharmaceutical and healthcare industries

 CFR
 „Code of Federal Regulations“
ETTLER TOLEDO

 Part 11
 FDA regulated issues relating to electronic
records and electronic signatures

Quality Management
 Who does it apply to?

 All U.S. pharmaceutical and health care

industries

 All international pharmaceutical and

healthcare industries wishing to or
exporting to the USA
ETTLER TOLEDO

 Even other countries or companies not

exporting to the USA are using it as a
guideline in developing their own
regulations
Quality Management
 What is 21 CFR Part 11?

 Regulation issued by the American

„Food and Drug Administration“ (FDA)

 Conditions under which electronic

records and electronic signatures will be
accepted in lieu of signed paper
records.
ETTLER TOLEDO

Quality Management
 Part 11 - Change of Paradigm

 Good old times

 Records created by computerized systems
 Records printed on paper (and signed)

 PAPER COPY became ORIGINAL

 Electronic records reorganized (deleted)

 Paper copy archived

prin sign archi

ETTLER TOLEDO

t ve

Quality Management
 Part 11 - Change of Paradigm

 After Part 11
 ELECTRONIC RECORDS are the ORIGINAL
 May still be printed (and signed), but do not
become an original
 Electronic records must be saved and may
not be modified, overwritten or deleted
without an audit trail
 ELECTRONIC
pri RECORDS
sig must arch
be
ETTLER TOLEDO

ARCHIVED
nt n ive

Its all done electronically on the PC !!

Quality Management
 Purpose of 21 CFR 11

 To allow the use of electronic

records and signatures
 Instead of having to store and submit
paper records
 To prevent, or at least reduce the
risk of, records being deliberately
manipulated to falsify results
ETTLER TOLEDO

 To prevent unauthorized access to

data
 To ensure traceability to the
originator or owner of a record

Quality Management
  ”...people determined to falsify records
may find a means to do so despite
whatever technology or preventative
measures are in place. The controls in
part 11 are intended to deter such
actions, make it difficult to execute
falsification by mishap or casual misdeed,
and to help detect such alterations when
ETTLER TOLEDO

they occur“

Preamble to final rule

Quality Management
 History

 1990 - PMA hosts a meeting with FDA to

demonstrate the advantages of electronic batch
records
 24 February 1992 - FDA creates task force to
investigate the use of electronic records and
signatures
 21 July 1992 - Announcement of “New Proposed
Rule Making” is issued
 31 August 1992 - “Proposed Rule” issued
ETTLER TOLEDO

 20 March 1997 - “Final Rule” issued

 20 August 1997 - “Final Rule” effective
 Due to the Y2K crisis the FDA delays enforcement
of the regulation until August 2001

Quality Management
 What is covered by 21 CFR 11?

 21 CFR 11 not only applies to the

instrument or Analytical system. It also
covers:

 The laboratory itself

• Access control
 All SOPs used
ETTLER TOLEDO

• Signatures
• Change control
 Personnel

• Education and training

• Awareness of 21 CFR 11
Quality Management
 Interpretation of the regulation

 The FDA deliberately made the regulation

vague so as not to force new requirements on
the industry

 Pharmaceutical companies must define their

own realistic requirements
ETTLER TOLEDO

Each company has a different

interpretation

Quality Management
 System Compliance

 A software by itself can‘t be compliant to

21CFR Part 11
 It is the system which has to be compliant.

 Compliance is not the responsibility of the

supplier
 But the standard software has to support
features like
ETTLER TOLEDO

 Audit trial
 Password administration

 Electronic signature

 Software can be part 11 ready !!

Quality Management
 The responsibility of the supplier

 Compliance is not the responsibility of the

supplier
 Suppliers should make it as easy as possible for
companies to comply
 provide systems that support compliance where
possible
 provide suggestions on how to achieve compliance
ETTLER TOLEDO

 Other measures may be necessary from the

pharmaceutical company’s side:
 Access control
 SOPs prohibiting access and documenting required
procedures

Quality Management
 The regulation in detail: Subpart A -
General Provisions
 11.1 Scope
 Applies to records in electronic form that are
created, maintained, archived, retrieved or
transmitted as original records

 Applies to records stored electronically on

durable media
• If system is turned off and on and record
ETTLER TOLEDO

persists then it is deemed to be stored on

durable media

 Does not apply to paper records transmitted

by electronic means
Quality Management
 Definition

 !! 21 CRF Part 11 applies to both !!

ETTLER TOLEDO

 Implementation of ‘electronic records’ is

mandatory

 Implementation of electronic signature is

optional. You still can print to paper and sign
there
Quality Management
 Electronic Records - Definition

 Electronic Record
any combination of text, graphics, data,
audio, pictorial, or other information
representation in digital form that is
created, modified, maintained,
archived, retrieved or distributed by a
computer system
( 21 CFR, Part 11)
ETTLER TOLEDO

Quality Management
 Electronic Records - Definition

 Part 11 applies just to long term storage ER

When records are saved on durable storage

device (Rule of Thumbs: records which are still
there after power on/off)

 Electronic records which may be submitted to

the FDA in lieu of paper records
ETTLER TOLEDO

Records, which are created because of a GxP

Guideline (GMP Data)

Quality Management
 Implementation

 Electronic records in compliance may be

submitted to the FDA in lieu of paper
records

 Intention to do so, and details of which

records, must be communicated to the
FDA in writing
ETTLER TOLEDO

Quality Management
 Definitions (continued)

 Hybrid system
 System using a combination of electronic
and paper records

 Legacy system
 System put into operation prior to August
1997
ETTLER TOLEDO

Quality Management
 Definitions

 Electronic signature
 Computer data compilation of any symbol or
series of symbols executed, adopted, or
authorized by an individual to be the legally
binding equivalent of the individual’s
handwritten signature

 Digital signature
ETTLER TOLEDO

 electronic signature based on cryptographic

methods of originator authentication,
computed using a set of rules and a set of
parameters such that the identity of the
signer can be verified
Quality Management
 Definitions

 Biometrics
 Means of identifying an individual based on
measurement of physical attributes such as
finger print, retinal scan etc.

Note:
 A scanned hand-written signature is not an
electronic signature
ETTLER TOLEDO

Quality Management
 Execution of Electronic Signature

 Non Biometric Identification

 Two independent / unique ID mechanisms
 User-ID /password + security

 Smart - cards / password

 UserID and Signature Board

 Biometric Devices
 Fingerprint recognition
ETTLER TOLEDO

 Retina scan system

Quality Management
 Definitions (continued)

 Closed system
 An environment in which access is
controlled by persons responsible for the
content of electronic records on the system
 Example: Titration system, LIMS etc.

 Open system
ETTLER TOLEDO

 System access is not controlled by persons

responsible for the content
 Example: LIMS access over the Internet

Quality Management
 Closed systems

 11.10 Controls for closed systems

 Validation of the system
 Ability to generate accurate and complete
copies of records in both human readable
and electronic form suitable for inspection,
review and copying by the FDA
 Protection of records throughout their
retention period
ETTLER TOLEDO

 Limiting access to authorized individuals

• Physically
• By SOP
• Electronically

Quality Management
ETTLER TOLEDO Electronic access control

Quality Management
 Controls for closed systems

 Use of secure, computer-generated,

time-stamped audit trails to
independently record the date and time
of operator changes
 Record changes shall not obscure previously
recorded information
ETTLER TOLEDO

Quality Management
 Controls for closed systems

 Use of operational checks to enforce

permitted sequence of events e.g.
sample size limits
 Use of authority checks to ensure that
only authorized individuals can use the
system
ETTLER TOLEDO

Quality Management
 Signature Manifestations

 Signed electronic records shall contain

the printed name of the signer, the date
and time, and the meaning
ETTLER TOLEDO

Quality Management
 Electronic Signatures

 General requirements
 Electronic signatures shall be unique to one
individual
ETTLER TOLEDO

Quality Management
 Electronic signature components
and controls
 Signatures must employ at least 2
distinct components such as ID code
and password
ETTLER TOLEDO

Quality Management
 Electronic signature components
and controls
 When an individual executes a series of
signings in a continuous period of access,
the first signing shall use both components;
subsequent signings shall be executed
using at least one component that is only
executable by the individual
ETTLER TOLEDO

Quality Management
 Electronic signature components and
controls
 Signatures are only to be used by their
genuine owners (this must be taken
care of by the company’s SOPs)

 Unauthorized use requires the

collaboration of at least 2 individuals
ETTLER TOLEDO

Quality Management
 Controls for IDs and Passwords

 Uniqueness

 Periodic revision of passwords

 Controls for lost (forgotten) or stolen
passwords
 Safeguard to prevent unauthorized use
and reporting of such attempts
ETTLER TOLEDO

Quality Management
 Summary LabX compliance with
21CFR Part11
User Management
 User accounts defined by
unique user name and
password

 4 predefined User-Levels

 Definition of individual
access privileges of each
level possible
ETTLER TOLEDO

Quality Management
 LabX complies with 21CFR part11

System access
 Login with matching and valid user name and
password
 Deactivation after 3 unsuccessful attempts
 Reactivation only possible by the administrator
ETTLER TOLEDO

Quality Management
 LabX complies with 21CFR part11

Password rules-and management

 Definition of minimum password length
 Use of special characters can be
enforced
 Password expiry at different intervals
 No re-usage of old passwords
ETTLER TOLEDO

Quality Management
 LabX complies with 21CFR part11

Audit trail
 Changes in user data and system
settings are logged
 List of user, date, time, type of change,
old/new value, reason for change
 Log file can be viewed, printed and
backed up
ETTLER TOLEDO

Quality Management
 LabX complies with 21CFR part11

Electronic Signatures
 Changes are recorded
together with digital
signature
 User has to give a
reason why change
was made
ETTLER TOLEDO

Quality Management
 LabX complies with 21CFR part11

Data security
 Data is stored in a Microsoft SQL
database
 Database cannot be directly accessed
by a user
 Impossible to remove or alter data in an
uncontrolled manner
ETTLER TOLEDO

Quality Management
 LabX professional exports easily to
LIMS
 Automatic
export to
predefined
directory
 Configurable
export content
ETTLER TOLEDO

Quality Management