real world examples for part 11 technical controls - agilent of... · dial +44 20 8240 8243,...
TRANSCRIPT
Wolfgang Winter Product Manager, Networked Data Systems23. January 2003
Real World Examples for Part 11Technical Controls
Time: 3.00 p.m. Central European TimeTelephone Number: +44 20 8240 8243Chair Person: Ingrid Ginnutt
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 2
Real World Examples forPart 11 Technical Controls
Presented by
Wolfgang WinterProduct Manager, Networked Data Systems
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 3
Real World Examples for Part 11 TechnicalControls
• Implementing the procedural and technical controls for 21 CFR Part 11is a big challenge for compliance. This seminar explains the technicalcontrols mandated by the rule and demonstrates how they can beimplemented, using examples from Agilent Cerity for PharmaceuticalQA/QC, a networked data system from Agilent Technologies targetedat pharmaceutical quality control laboratories.
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 4
Agenda for Today’s Session
• Overview of Agilent Cerity for Pharmaceutical QA/QC
• Overview of technical controls mandated by 21 CFR Part 11
• Detailed discussion of each control, using examples from Cerity forPharmaceutical QA/QC
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 5
The networked data system that fullysupports the everyday tasks ofpharmaceutical QA/QC laboratories bymodeling the way analysts work.
Agilent Cerity for Pharmaceutical QA/QC
• Supports QA/QC workflow
• Full 21 CFR Part 11 compliance(e-records and e-signatures)
• Fully scaleable client/serversystem
• Custom calculator and customreports to eliminate externalcalculations
• Level 4 Instrument control forAgilent 6890/6850, 1100,35900E and Waters Alliance
• Suite of computer-basedcompliance protocols andservices
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 6
Cerity Client/Server System
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 7
21 CFR Part 11 Technical ControlsSection Requirement Responsibility* §11.10a Systems must be validated Proc. §11.10b Accurate and complete copies Tech. §11.10c Protection of records Proc., Tech. §11.10d Access limited to authorized individuals Proc., Tech. §11.10e Secure, computer-generated, time-stamped
audit trail Tech.
§11.10f/g/h Checks (device, authority, system checks) Tech. §11.50 Signature Manifestations Tech. §11.70 Signature/Record Linking Tech. §11.100 Uniqueness of e-sig to the individual Proc., Tech. §11.200 E-Sig Components and Controls Proc., Tech. §11.300 Controls for identification codes and
passwords Proc., Tech.
* Proc. = Pharmaceutical company is usually responsible to develop procedural controls Tech. = Supplier is usually responsible to implement technical controls
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 8
Cerity Archive/Restore Utility:•exchange data between database servers•long term archival for offline data•query-based utility•supports scheduled, scripted operation•XML archive catalog
Accurate and Complete Copies (§11.10b)
“The system must allow the creation of accurate and complete copies ofthe electronic record in human readable as well as electronic formatfor inspection and review by the FDA “
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 9
Protection of Records (§11.10c)
“Records must be protected to enable accurate and ready retrievalthroughout the record retention period”
� Strict protection and version control in the Cerity database – noinformation is ever overwritten
� Technically, Cerity uses globally unique identifiers and securityservices to keep records unique and safe from fraudulent or accidentalmodification
Sign Secure Keep Integrity Retrieve
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 10
Access Control (§11.10d)
�All Cerity utilities require login of anauthorized user
�Authentication based on operatingsystem authentication
�No duplicate user account systemneeds to be maintained for Cerity
“System access must be limited to authorized individuals”
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 11
Notification of Unauthorized Access (§11.10d)
�Uses security event log fromoperating system
�Leverages from security policiesalready established in the ITinfrastructure
�Leverages notification proceduresestablished by the systemadministrator
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 12
Break Number 1
Please type your
question into the
Chat Box at any time
during the presentation.
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 13
Audit Trail (§11.10e)
“Use of Computer generated, time-stamped, audit trails to independentlyrecord the date and time of ofoperator entries and actions thatcreate, modify, or delete electronicrecords. Record changes shall notobscure previously recordedinformation.”
�Example Screen: Logbook fieldsavailable in the report layout editor.
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 14
Example for Version Control (§11.10e)
Calibration Table Revision
Sample Result Revisions quantified
with thisrevision of the
Calibration Table
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 15
Column IDTag
Example: Wireless radio frequencytransmission in the Agilent 1100 ThermostatedColumn Compartment
LEVEL 4 Control
Device Check (§11.10h) ExampleDevice checks should be used to determine
the validity of the source of data input or operation instruction.
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 16
System Check (§11.10g) Example:Formal Results Review/Approval
Operational system checks should be used to enforce permitted sequencing of steps and events as appropriate .
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 17
Configurable Sign-Off and Audit Comments
�System allows toconfigure whichactions requireelectronic sign-off
�Audit comments canbe made mandatory(according topredicate rules)
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 18
Signature Manifestations (§11.50)
�Meaning of signature
� two identificationcomponents
� timestamp recorded inlogbook
� reuses securitysubsystem of operatingsystem
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 19
Audit Trail/Signature Manifestation Example
�Meaning of signature
�Report template can show date andtime stamps
�Date and time stamps are availablein coordinated universal time (UTC)
�User ID (as defined for operatingsystem)
�User full name (as defined foroperating system)
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 20
Break Number 2
Please type your
question into the
Chat Box at any time
during the presentation.
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 21
… New (Draft) FDA Guidance on Time StampsItem FDA Guidance Requirement Cerity for Pharmaceutical QA/QC Time Stamp Accuracy
Computer clocks must be synchronized and safe
…relies on standard NT/Windows 2000 clock synchronization scripts using a time server (IT system administration)
Systems Clock Security
You should be able to detect inappropriate changes to computer clocks.
… relies on standard NT/Windows 2000 security policies and user profiles
Time Zones You should implement time stamps with a clear understanding of what time zone reference you use.
… stores time information as universal time (UTC). Time information is displayed in local time according to the local time zone settings on the client computer
Expression of Date and Time
System documentation should define how date and time are expressed.
… reuses standard date and time formats as set in the regional settings of the operating system
Precision of Date and Time Expressions
Audit trail and signature time stamps should be precise to the hour and minute. Date expressions in those stamps should indicate year, month and numerical day of the month.
… stores time information including seconds. Presentation of date and time information is done according to the regional settings of the operating system
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 22
Signature/Record Linking (§11.70)
A
B
CUT
PASTE
“Electronic signatures…shall be linked to theirrespective electronics records to ensure that(they) cannot be excised, copied, …to falsifyan electronic record by ordinary means”
�Cerity data is stored in a secure Oracledatabase
�Cerity design ensures referential integritybetween related records
�Cerity audit trail and signature informationcannot be manipulated
�Strict revision control of all recordsmaintained by the Cerity system
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 23
Uniqueness of e-sig (§11.100)
“Each electronic signature shall be unique to one individual and shall notbe reused by, or reassigned to, anyone else”
� Requires procedural controls in the organization
� Is typically handled by HR and IT departments
� IT policies ensure that combinations of user ID and passwords areunique and periodically revised
� Cerity leverages this work directly - no duplication required for the lab!
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 24
E-Sig Components and Controls (§11.200)
The rule requires stringent controls to prevent impersonation
� Logon is mandatory in Cerity (user id and password)
� Cerity session can be locked interactively
� After a defined inactivity period, Cerity sessions are lockedautomatically.
� User ID and password are required to unlock a locked session.
You are notwho yousay you are
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 25
Example: Cerity Inactivity Timeout
�Addresses the requirementsfor “discontinuous session”
�Sessions can be lockedautomatically (time-out) orinteractively
�Unlock requires the user tore-enter both identificationcomponents
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 26
Controls for identification codes and passwords(§11.300)
�Cerity reuses operatingsystem (OS) security system
�Cerity reuses passwordpolicies (security policies)defined for the operatingsystem
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 27
Leverage from Operating System (OS) Security
�Manage users in systemadministration console usinga standard IT tool (“MMC”)
�Authenticated OS users aregranted access rights to theCerity applications
�Directly reuse password andsecurity policies defined byIT group
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 28
Summary
• Implementation of the technical controls for 21 Part 11 has manyaspects (technical, procedural, educational)
• Constant trade-off between efficiency and overhead
• Cerity for Pharmaceutical QA/QC offers workflow support andtechnical controls for 21 Part 11 compliance
• Fits into and leverages from the existing IT infrastructure with minimalrework and duplication
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 29
References
• Good Automated Laboratory Practices (GAMP) Special InterestGroup, Complying with 21 CFR Part 11: Electronic Records andSignatures, Final Draft, September 2000, www.gamp.org.
• Draft Guidance for Industry 21 CFR Part 11; Electronic Records;Electronic Signatures Time Stamps, seehttp://www.fda.gov/ora/compliance_ref/part11/default.htm
• What is Universal Time? http://aa.usno.navy.mil/faq/docs/UT.html
• Computer time synchronization http://tf.nist.gov/timefreq/service/time-computer.html
• How to Set Up And Synchronize with Domain Time Source Servers(Q131715) http://support.microsoft.com/default.aspx?scid=kb;EN-US;q131715
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 30
References (2)
• Wolfgang Winter, Electronic Records are here to stay, BiopharmEurope, Special Issue September 2002, 29-31
• L. Huber, Implementing 21CFR Part 11 - Electronic Signatures andRecords in Analytical Laboratories Part 1, - Overview andRequirements, Biopharm 12 (11), 28-34, 1999
• W. Winter, L. Huber, Implementing 21CFR Part 11 - ElectronicSignatures and Records in Analytical Laboratories, Part 2 –SecurityAspects for Systems and Applications, BioPharm 13 (1), 44-50, 2000;reprinted in Pharmaceutical Technology 24 (6), 74-87, June 2000
• W. Winter and L Huber: Implementing 21CFR Part 11 - ElectronicSignatures and Records in Analytical Laboratories, Part 3 –DataSecurity and Data Integrity BioPharm 13 (3), 2000, pages 45-49
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 31
References (3)
• L. Huber and W. Winter: Implementing 21CFR Part 11 - ElectronicSignatures and Records in Analytical Laboratories, Part 4 – Long TermArchiving and Ready Retrieval BioPharm 13 (6), 2000
• W. Winter and L. Huber: Implementing 21CFR Part 11 - ElectronicSignatures and Records in Analytical Laboratories, Part 6, Biopharmand LCGC North America November 2000 Supplement
• C. Nickel, W. Winter and L. Huber: Implementing 21CFR Part 11 -Electronic Signatures and Records in Analytical Laboratories, Part 7–An approach towards compliance with 21 CFR part11 for non-compliant legacy systems, Biopharm and LCGC North AmericaNovember 2000 Supplement
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 32
Wrap-up e-Seminar Questions
Thank you for attending today’s Agilent e-Seminar.Our Seminar schedule is expanding regularly.
Please check our web site frequently at:
www.agilent.com/chem
Or register for
to receive regular updates.
Stay currentwith e-notes
Dial +44 20 8240 8243, Chairperson Ingrid Ginnutt for e-Seminar Audio Slide 33
• Feb 19, 2003:Automated analytical method validation and regulatory compliance
• Mar 13, 2003:Monitoring the health and status of a networked chromatography data system
• Apr 17, 2003:Strategies and examples for design qualification (DQ) and re-qualification (RQ)for laboratory data systems
http://www.agilent.com/chem/eseminars-compliance