Compliance with FDA regulations on electronic records and electronic signatures (21 CFR Part 11)
Title 21 CFR Part 11 is a U.S. federal regulation specifying FDA guidelines for electronic records and electronic signatures. It requires most companies that deal with the FDA, such as pharmaceutical companies, to implement controls that ensure the integrity of their documents.
Assist 4.0 approach to compliance
To provide the security required for compliance with the 21 CFR Part 11 rule, the software has in place security functions which provide:
The use of user identification codes and passwords enables control over who can log on to the system and who can perform particular functions within the Atharvana application software. It also provides the mechanism to allow electronic signature of electronic records.
The following are adhered to in Assist 4.0 software:
As stated above, the unique user identification code is fundamental to the security of the system. The text of the “User Name”, “Full Name” and “Description” fields are included in reports and audit logs to identify the user who has changed or signed electronic records. It is essential that the “Full Name” field contains the user’s full name as it is a specific requirement of the 21 CFR Part 11 rule that the “printed name of the signer” is indicated on signed records (Section 11.50 (a) (1)). Users are also required to change their password when they first log on to the system, to ensure the security of the password.
Once the system administrator has set up the users, the Assist 4.0 software guides the system administrator through the required steps to set up the security. This covers the following issues:
Controls for Electronic Records
The 21 CFR Part 11 rule contains a range of specific measures to ensure the integrity of the system operations and information stored in the system.
Accurate and complete copies (Compliance with Section 11.10 (a) & (b))
The Assist 4.0 application software utilizes the Windows copy function to produce electronic copies of files within and between protected directories on the local PC. The application can load and display its electronic records (incorporating the audit trails) stored in a protected directory on the local IPC. These items can also be printed using the application software.
The Assist 4.0 software provides files that can be used for review of the records, independent of the application software. The file formats available include ASCII, PRN, RTF and HTML.
Audit trails (Compliance with Section 11.10 (e)
Atharvana systems utilize audit logs provided by the Assist 4.0 software and by the Windows operating system. Audit logs are created by the application software. The application forces the complete collection of data including such things as method, instrument data, final results, etc. These audit logs also record who made the changes, when and why. When changes are made, the previous value and the new value for the altered field are recorded. The system will also prompt the user to enter a reason for the change, although including a reason is optional. The reason for change, or text stating that no reason was given, is stored with the record. The data and methods are also stored together. The application software and the operating system write to the Windows event log(s), recording authorization attempts, access to the application, saving of files, logon activity, and account privilege and audit policy changes. The application software audit logs cannot be deleted from the electronic records of which they are a part.
Protection of records (Compliance with Section 11.10 (c) & (e)
While the Assist 4.0 application protects the electronic records and provides an audit trail of any changes to those records, the user organization must also establish rigorous and systematic archiving and backup standard operating procedures to ensure that electronic records generated by Atharvana software are stored in such a manner that they can be retrieved and used over an extended period of time.
The Assist 4.0 software automatically sets the security access to the protected directories so that users (other than the authorized system administrator) cannot delete or alter records.
Validation (Compliance with Section 11.10 (a)
Atharvana can provide detailed information regarding its software design, development, testing, maintenance and archiving procedures. Atharvana offers installation qualification (IQ) and operation qualification (OQ) documentation and services. Atharvana can also assist the user organization with ongoing performance qualification (PQ) if required.
Controlling access and checking authority
Assist 4.0 systems use a combination of user identification code and password. The mechanism is used to provide both the ability to carry out authority checks and the ability to sign or authorize electronic records. (Compliance with Section 11.200 (a) (1))
Assist 4.0 systems carry out the following authority checks: (Compliance with Sections 11.10 (d) and (g))
Controlling user identification codes and passwords
The methods used to establish passwords and the policies used to control them are specifically designed to meet the stringent requirements of the 21 CFR Part 11 rule. The system requires the password to be at least six characters in length. Initially, the system administrator must provide a temporary password when setting up a user and, as mentioned previously, the system administrator must select the option to force the user to change the password at next logon. When the new user first logs on to the system, they are required by the system to change the password immediately. This ensures that only the individual user knows their particular user identification code and password combination and therefore that “attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals” (Compliance with Section 11.200 (a) (3)).
Assist 4.0 system allows the Administrator to set the period after which passwords must be changed. The system requires that each time the user changes their password it must be different from the 12 (Windows NT) or 24 (Windows 2000 or XP) previous passwords used. The Atharvana software sets these parameters automatically at installation, but they can be adjusted by the system administrator to suit the organization’s requirements. (Compliance with Section 11.300 (b))
In Assist 4.0 system, the user account is disabled following a defined number (usually three) of failed attempts to enter the correct user identification code and password combination. When the user is attempting to log on, they are logging on to the PC itself. Therefore, if the logon attempt fails they do not gain access to use the PC and do not, at any stage, gain access to the application software. (Compliance with Section 11.300 (d))