In order to discuss compliance with Part 11, Annex 11, and recent regulatory guidances data integrity and temporary memory, some basic information about LabVantage software functionality and some assumptions about the deployment and use of LabVantage software in a customer setting, must be understood:
- User passwords are encrypted, invisible, and have strong password aging enabled to make sure that passwords are only used by the genuine owner.
- Username/password combinations are unique to the individual and logon attempts (successful and failed) are tracked, including user ID, date/time, device ID, success/failure and meaning of action.
- LabVantage software can be deployed as an “open system with appropriate controls” or a “closed system”.
- Audit trails are implemented to automatically capture and identify data and configuration changes that include the date/time, user ID, reason for change, new value and original value.
- Biometrics may be implemented as part of user logon and electronic approvals.
- Audit trails are implemented to automatically log system failures and errors.
- Audit trails are implemented to automatically capture and identify data changes made in temporary memory prior to saving. This is also known as dynamic auditing.
- Storage, retrieval and archival or records are based on the customer-defined record retention period.
- User permissions are based on roles and training to ensure they can only perform functions for which they are authorized. This includes sampling, data editing, data entry, batch disposition and data approvals.
- The current system design and development properly enforces steps and events in a workflow manner.
- All records, including audit trails, are available in human readable form by use of either a reporting engine such as InfoMaker, Business Objects, Crystal Reports etc, or via a helper application, including Excel, Word, Notepad etc.
- For critical manually entered data, a second review and verification may be set up to
verify the data in addition to the electronic checking of data against defined specifications.
- Electronic signatures use unique username/password or biometrics, are based on the “first signing” at the time of controlled access logon, require the user to re-login for non-continuous periods and are permanently linked to the record.
- All records gathered during the use of LabVantage software are accurate and complete, since lab personnel actively enter, review and accept the information contained therein.
21 CFR Part 11
Regulatory agencies have provided guidelines for demonstrating data security and integrity. However, none address the issue to the same extent as Title 21 Part 11 of the Code of Federal Regulations from the U.S. Food and Drug Administration (FDA)i.
In March 1997, the predicate rule was enacted and became effective in August 1997. When developing the rule, the FDA applied the full force of the law and removed the ambiguity of providing a “guideline” so that electronic signatures and records are ensured to be as reliable and trustworthy as handwritten signatures or paper records. The rule applies to any handwritten or electronic record, or its associated signature that is submitted to the agency (specifically 21 CFR Parts 71, 170, 180, 312, 314, 358, 514, 515, 571, 601, 860, 861, 1003, 1010).
Specific Capabilities to Support Compliance with Part 11
The LabVantage Quality and Testing departments have built a complete traceability matrix that links LabVantage software requirements to address and test the software-liable/software-enforceable sections of Part 11 and security. For more details, please see the referenced predicate rule.
Where applicable, LabVantage has done the following to comply with the specific regulatory sections cited below:
Subpart B – Electronic Records |
11.10 |
LabVantage software can be deployed as a “closed system” or an “open system with appropriate controls.” |
11.10.A |
Although the software is validated by LabVantage prior to release, it is the responsibility of the using company to ensure LabVantage software is validated and controlled following the user company processes. |
11.10.B |
The standard database allows for both storage and retrieval of records throughout a customer-defined period of time. |
11.10.C |
Oracle or Microsoft SQL Server archiving processes have been verified to protect records during records-retention processes and to enable accurate retrieval of information. |
11.10.D |
Failed access to the system is logged. All log entries include time/date, user ID, device ID, meaning of action and success/failure. |
11.10.E |
Computer-generated audit trails have been employed for all tables. They are secure, computer-generated, time-stamped audit trails for creation/deletion/modification of electronic records. |
11.10.F |
Sequential processing is enforced through workflows. |
11.10.G |
Verification that each individual is allowed to use the computer device/workstation from which he/she is logging onto the system is performed. After login, the user may only perform system functions for which they are authorized. |
11.10.H |
At connection/login each device is verified as acceptable for system input. The ability for many-to-many links between system devices and users has been provided, with an internal integrity checking capability to verify that users have the appropriate authority to access a specific system device. |
11.10.I |
LabVantage software can be configured to track training records. |
11.10.J, 11.10.K |
This section pertains exclusively to the using company processes. |
11.30 |
User password encryption is incorporated to allow passwords to be used only by the genuine owner. |
11.50.A.1, 11.50.A.2, 11.50.A.3 |
Each electronic record is marked with the user ID, time/date and the “meaning” of the action which created/deleted/modified the record. |
11.50.B |
Identifying information for an individual is captured in the master user identification table, including the printed name, password and other identifying information. This table allows an electronic signature to be disabled by removing the user. Only authorized users may make changes to this table, which also require username and password authentication and are audit trailed. |
11.70 |
The reason-for-change can be configured to be enforced, or optional, at the time of data commitment, depending on the need. Electronic signatures are linked to electronic records. |
Subpart C – Electronic Signatures |
11.100.A |
Each individual’s electronic signature is ensured as unique. The uniqueness of each combination of user ID and password is ensured. |
11.100.B, 11.100.C |
This section pertains exclusively to the using company. |
11.200.A.1 |
Electronic signatures are based on username and password. |
11.200.A.1.I |
The “first signing” (using an electronic signature) for a user will constitute the logon process. |
11.200.A.1.II |
Users are required to re-log into the system during a non-continuous period of controlled system access. |
11.200.A.2, 11.200.A.3 |
This section pertains exclusively to the using company procedures. |
11.200.B |
Biometrics may be implemented using biometrics hardware. Once implemented, LabVantage software makes no distinction between biometrics or non-biometrics within the software. |
11.300.A |
The LabVantage software master user table disallows record duplication. |
11.300.B |
A password aging process that requires users to change their passwords at a regular interval has been incorporated. |
11.300.C |
Disallowing users from all roles, or changing the user password, will “unauthorize” a user’s access to LabVantage software. |
11.300.D |
The use of electronic signatures has been logged as part of the transactional safeguards to prevent unauthorized use. |
11.300.E |
This section pertains exclusively to the validation efforts by the using company. |
EudraLex Volume 4 Annex 11: Computerized Systems
These rules for good manufacturing applied to veterinary and human medicinal products in the European Union. Annex 11v provides details on the integrity of computerized systems as part of GMP-regulated activities. Annex 11 was introduced in 2011 and defines a computerized system as “a set of software and hardware components which together fulfil certain functionalities”. It needs applications to be validated and the IT infrastructure to be qualified.
While Part 11 focuses on electronic records and signatures, Annex 11 addresses personnel, risk management, suppliers and service providers, data, validation, data storage, accuracy checks, audit trails, printouts, change and configuration management, security, periodic evaluation, electronic signatures, batch release, incident management, business continuity and archiving.
Specific Capabilities to Support Compliance with Annex 11
As for Part 11, the Testing and Quality departments at LabVantage have built a complete traceability matrix that links LabVantage software requirements to address and test the software-liable/software-enforceable sections of Annex 11. For more details, please see the Annex 11 reference.
LabVantage has, where applicable, done the following to comply with the specific regulatory sections cited below:
EudraLex Volume 4 Annex 11: Computerized Systems |
SECTION 1 |
This section pertains exclusively to the using company implementation. |
SECTION 2 |
Each user is assigned specific system functions that they are authorized to execute based on their job role. The system can be configured to track training records. |
SECTION 3, 4, 5 |
These sections pertain exclusively to the using company implementation. |
SECTION 6 |
For critical manually entered data, a second review and verification may be setup to verify the data in addition to the electronic checking of data against defined specifications. |
SECTION 7 |
This section pertains exclusively to the using company implementation. |
SECTION 8.1 |
Any data may be printed (paper or electronic form) to view the stored data. |
SECTION 8.2 |
Audit trail reports may be printed to identify changes to data since original entry. |
SECTION 9 |
Audit trails are configured to capture changes or deletions to data which include the user’s name, date, time, reason for change and the change. Audit trail reports are available in human readable format. |
SECTION 10 |
Only authorized users may make changes to the system configuration based on their job role. Configuration changes are captured in the audit trails. |
SECTION 11 |
This section pertains exclusively to the using company implementation. |
SECTION 12.1 |
System access is controlled via unique username and password combination or biometrics. |
SECTION 12.2 |
This section pertains exclusively to the using company implementation. |
SECTION 12.3 |
Changes to access authorizations (creation, modifications, deletions) are recorded automatically in the audit trail and can only be performed by authorized users based on their job role. |
SECTION 12.4 |
Changes to data are captured in the audit trail that includes the username, date, time, change and reason for the change. |
SECTION 13 |
System failures and errors are captured in the system audit trail. Incidents and root cause analysis may be captured in the CAPA module. |
SECTION 14 (A, B, C) |
Electronic signatures are permanently linked to the record that include the username, date, time, reason for change and the change. |
SECTION 15 |
Only authorized users may certify the release or rejection of batches based on their job role. These certifications are captured in the audit trail and include the username, date, time and the reason for release / rejection. |
SECTION 16 |
This section pertains exclusively to the using company implementation. |
SECTION 17 |
There is a process to archive data on a periodic basis. Data accessibility, readability and integrity are the responsibilities of the using company implementation. |
References
i “Electronic Code of Federal Regulations, Title 21, Chapter 1, Subchapter A, Part 11,” U.S. Food and Drug Admin- istration. (Available at www.ecfr.gov/cgi-bin/text-idx?SID=f89b66d6f3c7a9d2b91d534beedf4a45&mc=true&t- pl=/ecfrbrowse/Title21/21cfr11_main_02.tpl)
ii Data Integrity and Compliance With CGMP Guidance for Industry, Draft Guidance, April 2016, Pharmaceutical Quality/Manufacturing Standards (CGMP), U.S. Food and Drug Administration. https://www.fda.gov/
iii MHRA GxP Data Integrity Definitions and Guidance for Industry, Draft Version for Consultation, July 2016, Medicines & Healthcare products Regulatory Agency. https://www.gov.uk/
iv “EudraLex The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems,” European Commission Health and Consumers Directorate-General. (Available at https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf)
About LabVantage Solutions
LabVantage Solutions, Inc. is the leading global laboratory informatics provider. Our industry-leading LIMS and ELN solution and world-class services are the result of 35+ years of experience in laboratory informatics. LabVantage offers a comprehensive portfolio of products and services that enable companies to innovate faster in the R&D cycle, improve manufactured product quality, achieve accurate recordkeeping and comply with regulatory requirements.
LabVantage is a highly configurable, web-based LIMS/ELN that powers hundreds of laboratories globally, large and small. Built on a platform that is widely recognized as the best in the industry, LabVantage can support hundreds of concurrent users as well as interface with instruments and other enterprise systems. It is the best choice for industries ranging from pharmaceuticals and consumer goods to molecular diagnostics and bio banking. LabVantage domain experts advise customers on best practices and maximize their ROIs by optimizing LIMS implementation with a rapid and successful deployment.
Sponsored Content Policy: News-Medical.net publishes articles and related content that may be derived from sources where we have existing commercial relationships, provided such content adds value to the core editorial ethos of News-Medical.Net which is to educate and inform site visitors interested in medical research, science, medical devices and treatments.