Upload
james-yencho
View
14
Download
0
Embed Size (px)
DESCRIPTION
ESR Cfr 21 FDA
Citation preview
gxpand jv t .com Journal of Validation technology [Autumn 2012] 15
Device Validation Forum.John E. Lincoln]
For more Author
information,
go to
gxpandjvt.com/bios [ABOUT THE AUTHORJohn E. Lincoln is a principal consultant for J.E. Lincoln and Associates LLC, which assists companies in the design and implementation of complete 21 CFR 111, 210, 211, 820 and ISO 13485 quality management systems
that are fully cGMP-compliant and will have pass FDA audits. He may be reached by e-mail at [email protected].
Issues with Medical Device Part 11 Electronic Records; Electronic Signatures
Device Validation Forum discusses regulatory
requirements, scientific principles, strategies, and
approaches associated with medical device valida-
tion that are useful to practitioners. We intend this
column to be a valuable resource for daily work
applications. The key objective for this column is
useful information.
Reader comments, questions, and suggestions
are needed to help us fulfill our objective for this
column. Suggestions for future discussion top-
ics or questions to be addressed are requested.
Case studies illustrating principles associated with
medical devices submitted by readers are also most
welcome. We need your help to make Device
Validation Forum a useful resource. Please send
your comments and suggestions to column coor-
dinator John E. Lincoln at [email protected] or to
journal managing editor Cale Rubenstein at cru-
INTRODUCTION
As the medical device industry moves toward elec-
tronic records (ER) and signatures by in-house sys-
tems and/or cloud/web-based systems, and away from
paper documentation, 21 Code of Federal Regulations
(CFR) Part 11, Electronic Records; Electronic Signatures
(ES) verification and validation (V&V) activities and
documentation become mandatory. These issues are
not only a regulatory/Part 11 concern but also a user/
customer concern.
These requirements should not be viewed as unnec-
essary bureaucratic red tape. All industries, not just
US Food and Drug Administration-regulated ones,
are increasingly faced with these issues. The require-
ments of Part 11 are very similar to those that bank-
ing, finance, legal, and other business entities face.
All must strive to ensure the integrity of electronic
records/signatures as these increasingly replace paper-
based records and documentation systems.
What are these Issues?There are several issues pertinent issues that need to
be described. They discuss how a company can verify
or validate compliance to those portions of Part 11
that are applicable to their operations.
Large software applications having a current good
manufacturing practice (cGMP) impact include enter-
prise resource planning (ERP) systems. ERP valida-
tions typically involve both cGMP activities/records
and purely business/non-cGMP activities/records.
These typically impact all areas of a company. They
often present the most complex challenge for a Part 11
V&V project. Since that is the case, a Part 11 validation
will typically only use test cases/scripts that address
specifically the cGMP functions that the software
performs, when they can be separated. Each test case
is developed from the software requirements specifi-
cation (SRS) or its equivalent, which should only list
those requirements that are cGMP-specific (for the
purpose of the cGMP/Part 11 software V&V).
The companys 21 CFR Part 11 ER/ES requirements
would be included in the SRS. However, the author
recommends that the purely Part 11 requirements be
addressed by test cases in the operational qualification
John E. Lincoln
ES156867_IVTJVT1112_015.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
16 Journal of Validation technology [Autumn 2012]
Device Validation Forum.
i v t ne twork .com
(OQ), including those addressed by non-software/
offline systems and references to relevant standard
operating procedures (SOPs), manual logs, or similar
documentation. The rationale is that the V&V of Part
11 requirements generally focuses on the existence/
initialization (installation qualification [IQ] or opera-
tional qualification [OQ]) of each applicable element
of Part 11 rather than its repeatability performance
qualification (PQ). Where proof of repeatability is
a concern, test cases could be added to the PQ runs
as well.
As with any validation, a line in the sand must be
drawn prior to start. This means that once the decision
is made to validate, the software must be frozen
in time, with any future changes performed under
revision/release number/change control. Any changes
must include consideration of the degree of effect the
change may have on any previous verification/valida-
tion activities. Where such change control is relatively
easy with hardware, it is increasingly difficult with
software, especially cloud or web-based software
(e.g., applications or data warehousing/storage that
can almost automatically be upgraded, patched,
or have a service pack added by the vendor over the
Internet without notification or input from the using
company).
Whenever this author undertakes such a validation
with a client, a meeting is arranged with the com-
panys information technology (IT) department and
quality assurance (QA) team to initiate systems and
capture and hold all such incoming changes for joint
IT/QA review against existing V&Vs. The appropriate
decision and method of implementation, regression
testing required, and/or similar actions can be decid-
ed, documented with supporting rationale, signed,
dated, and implemented under change control. With-
out such a system in place, any validations are merely
a waste of time and valuable resources.
ELECTRONIC RECORDS/SIGNATURES AREAS REQUIRING V&VThe following are the type of electronic records and/or
e-signatures that require validation under 21 CFR Part
11. These may be exclusive cGMP records or records
used for cGMP decision-making (regardless of the
company written policy):
Any cGMP document that an SOP states is docu-
mented by a controlled hard/paper copy with
manually entered signatures (this includes per-
sonnel actually not using these hard copies but
referring to their computers in order to make
quality control [QC]/cGMP decisions [i.e., it is
not what a company says, but what it is actually
being done])
Management reviews of quality policies, systems,
organization/staffing, audits, etc.
Internal quality audits
Training: conduct, subject matter, and records
Proof of design control activities (an electronic
design history file [e-DHF])
Any cGMP document approval using e-documents
and/or e-signatures
Change control
Documentation of suppliers, evaluation/audits
rankings, and purchasing/quality data
Inventory identification, traceability, and status
Electronic SOPS (e-SOPs)
Monitoring/control of production processes elec-
tronically with e-reports
Environmental controls (heating, ventilation,
and air conditioning [HVAC], vector/pest, et al)
Post monitoring (PM) and/or calibration
scheduling
Record of equipment inspections
Control of manufacturing materials (e.g., lubricat-
ing oils, cleaners)
Test equipment control, including the above
Validation records
Incoming, in-process, and finished goods inspec-
tions: data, acceptance status, quarantine
Non-conformance reports, controls, reviews, dis-
positions, and approvals
Corrective and preventative action (CAPA) sys-
tem documentation, including complaint and
MDR files, failure investigations, and root cause
analysis
Labeling design, control/storage, and issuance/
counts
Packaging documentation
Distribution records
All cGMP e-records (if primary records, as defined
by usage)
Device master record (DMR)
Device history (batch/lot) record (DHR)
Any electronic/computer statistical analysis tools
related to making cGMP decisions (e.g., product
release, which may require additional software
V&V)
As per above, all software systems, independent
of cGMP records/signatures used in manufac-
turing or part of medical devices, require their
own V&V per other guidance documents (820.30
design controls [product validation] and 820.70
[i] automated processes)
ES156871_IVTJVT1112_016.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
gxpand jv t .com Journal of Validation technology [Autumn 2012] 17
John E. Lincoln.
ERP software used to control movement and stor-
age of inventory, as per above
Any other cGMP/QA/QC approval action and/
or status record.
RISK-BASED BLACK BOX V&VSince most projects usually involve commercial off-
the-shelf (COTS) software, the scripts/test cases are run
black box and also involve hardware functionality.
Table I: Subpart 11.10: Verify Records Input and Retention.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Can invalid or altered records be
determined?
Invalid/altered records can be
determined.
Yes/No
Attachment #
Is system capable of producing
accurate/complete hard/paper
copies of electronic records?
System produces accurate/
complete hard copies of ER.
Yes/No
Attachment #
Are records readily retrievable
throughout their retention period
(user to define records/data bases
involved and retention periodone
year from shipment, minimum)?
ERs are readily retrievable
throughout their retention period.
Yes/No
Attachment #
Is system access limited to
authorized personnel (by
password, SOP, and user-provided
and physical security)?
System access is limited to
authorized personnel (state
method).
Yes/No
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table II: Verify Audit Trail.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Does system create/maintain a
secure, time-stamped audit trail?
System creates/maintains a
secure, time stamped audit trail.
Yes/No
Attachment #
Does it record date/time, entries/
actions for any activity that
creates, modifies, or deletes
electronic records (documents
to be controlled by user, and 21
CFR Part 820 Quality System [QS]
Regulation/medical device cGMPs).
System records date/time, entries/
actions for any ER creation,
modification, or deletion of cGMP
records.
Yes/No
Attachment #
Are changed or deleted records
archived and retrievable (records to
be defined by user)?
Changed or deleted records are
archived and retrievable.
Yes/No
Attachment #
Is the audit trail retrievable throughout
that records retention period?
Audit trails are retrievable
throughout the ERs retention
period.
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156875_IVTJVT1112_017.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
18 Journal of Validation technology [Autumn 2012]
Device Validation Forum.
i v t ne twork .com
Of course, all software V&V is product risk-based. It
is recommended that an International Organization
for Standardization (ISO) 14971 product risk manage-
ment file/report (and use the same format for non-device
industries) be developed prior to developing the V&V
documentation. The degree of risk tied to the user of the
companys products can be used to determine the amount
of test case/script elements necessary to prove compli-
ance. Tie test cases to specific risk document references
by a traceability matrix or commonality of numbering
between hazard/risk entry and test case/script to justify
the degree of verification elements addressed in each test
case. It is crucial to draw that line in the sand on the
software with the support of the company IT department
to prevent non-approved updates, patches, etc. to the
relevant software that could impact the V&V downstream.
Table III: System features/checks.Verify data installation is completed, correct, and readily retrievable.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Can it be reviewed/copied by FDA?ERs can be reviewed/copied by
FDA.
Yes/No
Attachment #
Does the system enforce sequence
of steps/events if required (e.g., no
release to inverse of non-approved
components/specific steps)?
The system enforces the sequence
of ERP events per referenced flow
charts.
Yes/No
Attachment #
Are only authorized individuals
allowed access to the system,
permitted to sign records, access
the operation/input/output device,
alter records, and perform other
operations (e.g., defined by password
and level of authority/access)?
Only authorized individuals are
allowed access, sign records,
installation/operation access,
records altering, and similar
operations that affect ER accuracy/
retention/retrieve ability.
Yes/No
Attachment #
Does the system check the validity
of the data source if multiple
sources for such data exist?
The system checks one source
therefore there are no checks
between sources.
Yes/No
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table IV: Training.Verify data installation completed per SOP.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is training of all involved personnel
conducted and documented
(user issue/vendor assist)?
Training is conducted periodically
and documented.
Yes/No
Attachment #
Do written policies address the
accountability and responsibility of
individuals actions initiated under
their electronic signature (user
issue)?
Written policies/SOPs address ES
accountabilities/responsibilities.
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156880_IVTJVT1112_018.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
gxpand jv t .com Journal of Validation technology [Autumn 2012] 19
John E. Lincoln.
The following test case elements are extracted
directly from 21 CFR Part 11.
ELECTRONIC RECORDS AND ELEC-TRONIC SIGNATURES Subpart A--General Provisions 11.1 - Scope. 11.2 -
Implementation. 11.3 - Definitions.
Subpart B--Electronic Records 11.10 - Controls for closed
systems. 11.30 - Controls for open systems. 11.50 - Sig-
nature manifestations. 11.70 - Signature/record linking.
Subpart C--Electronic Signatures 11.100 - General require-
ments. 11.200 - Electronic signature components and con-
trols. 11.300 - Controls for identification codes/passwords.
DEVELOPING THE TEST CASES/TEST SCRIPTEach element of the subparts of Part 11 are reframed
into questions or statements for which an answer in
the companys Part 11 software or offline systems
will have to be found. Subparts 11.1, 11.2, and 11.3
provide background information and requirements
of the CFR, and consideration is for reference only.
Beginning with subpart 11.10, the suggested
approach described below can be implemented. In
some instances, assumptions have been made regard-
ing the element to verify. When using this example,
the user will have to adjust actual test cases/scripts to
match the systems/applications elements that apply
to their application. Higher risk applications would
require expansion of the number of test case/test script
entries to resolve or verify function of each element.
SOFTWARE VERIFICATION/VALIDATION PROTOCOL FORMAT EXAMPLES The following should be considered as very basic tem-
plates. Applicable test cases or test case elements should
be expanded depending upon the applications being
verified/validated. These present one possible method
among many that could be acceptable in validating elec-
tronic records and electronic signatures to 21 CFR Part 11.
Table V: Systems documentation control.Verify data installation completed per SOP.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is systems operation/maintenance
documentation controlled
(user and password limits)?
Systems operation/maintenance
documentation is controlled
(reference method[s]).
Yes/No
Attachment #
Is system documentation under
formal change control with a
time-sequenced audit trail for
changes (Also see other audit
trail questions/comments)?
System documentation is under
formal change control with an audit
trail.
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table VI: Subpart 11.30.Verify data installation is completed, correct, and readily retrievable.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is open system data Open system data is encrypted. N/A
Are open system signatures
digitized?
Open system signatures are
digitized (or reference any alternate
method(s).
N/A
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156872_IVTJVT1112_019.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
20 Journal of Validation technology [Autumn 2012]
Device Validation Forum.
i v t ne twork .com
VERIFICATION SCRIPT: ELECTRONIC SIGNATURES
Table VII: Subpart 11.50: Electronic Signatures Features.Verify data installation is completed, correct, and retrievable.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Do electronic signature
manifestations include the printed
name, date/time of signing, and
meaning of signing (approval,
review, responsibility, and feature
is available generally by level of
password-protected /defined level
of access)?
ESs include stated requirements.Yes/No
Attachment #
Is the signature supporting
information mentioned above
displayed and printed on hard
copies of the electronic record?
ESs are displayed, printed, or
obviously linked on hard copies
printed of the ER.
Yes/No
Attachment #
Are signatures linked to the
respective electronic record
to prevent cut/copy/transfer/
falsification (are signatures
imbedded in the actual record/
document or stored in another file
and flagged)?
ESs are either linked to, or
embedded in, the respective ER.
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table VIII: Subpart 11.100: Unique Electronic Signature.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Are electronic signatures unique to
an individual (through specific login
and password)?
Unique ESs exist.Yes/No
Attachment #
ID verified before issue?Verification performed by system to
prevent duplicate IDs.
Yes/No
Attachment #
Are electronic signatures reused or
reassigned to others (controlled user
SOP number/user setup)?
ESs are not reusedYes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156869_IVTJVT1112_020.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
gxpand jv t .com Journal of Validation technology [Autumn 2012] 21
John E. Lincoln.
Table IX: Subpart 11.200: Secure Electronic Signature.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is the signature made up of at least
two components (e.g., code, card,
password combinations, ID and
password, and use physical ID
components [e.g., cards])?
ES has minimum of two
components (describe).
Yes/No
Attachment #
Must the password be executed at
each signing and during a multiple
signing (continuous) session?
Password must be entered for
each signing in multiple signings.
Yes/No
Attachment #
Does the capability exist to be
defined by user?
Capability is defined by user
(describe).
Yes/No
Attachment #
Recommend reentry of password
wherever a new physical signature
would be required rather than a
multiple/continuous-signing feature.
Password reentry is required for
any new signature.
Yes/No
Attachment #
If not continuous, must both
components of the signature be
executed (to be user-defined)?
Describe number of components
required for a signature to be
entered (user ID/user password).
Yes/No
Are non-biometric signatures only
used by their genuine owners (user
SOP defined/a user security issue)?
Describe method used for control
of non-biometric ES: issue of single
user ID/user defined password.
Yes/No
Has it been shown that biometric
signatures can only be used by
their genuine owner (are biometric
signatures [retina or fingerprint
scans, etc.] utilized)?
Biometric signatures are not
currently used in this ERP.Yes/No
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table X: Planned security breach.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Would an attempt to falsify an
electronic signature require the
collaboration of at least two
individuals (only in the sense that
one of the two just have been
careless in allowing another to
steal and use his/her password)?
Purposeful falsification of an
ES requires two or more willing
individuals
Yes/No
Is the software configured
to require a minimum of two
passwords to accomplish a defined
action (e.g., document changes)?
A minimum of two ESs are required
for the approval of a cGMP ER.
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156868_IVTJVT1112_021.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
22 Journal of Validation technology [Autumn 2012]
Device Validation Forum.
i v t ne twork .com
Table XI: Subpart 11.300: User ID/Passwords.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Are controls in place to assure
the uniqueness of each code/
password combination?
User IDs/passwords are controlled;
system prevents user ID to be re-
issued/re-used
Yes/No
Attachment #
Do procedures require the periodic
checking of the validity of ID codes
(user SOP issue: does software do
this automatically)?
This is controlled in Windows OS;
passwords expire per defined
intervals.
Yes/No
Attachment #
Do passwords periodically expire
and require revision (see above)?
Passwords are controlled by
Windows OS with periodic
expiration/revision.
Yes/No
Attachment #
Is there a procedure to recall ID
codes/passwords when someone
leaves/is transferred?
User IDs/passwords are recalled/
retired when the owner leaves/is
transferred per SOP XXX.
Yes/No
Attachment #
Is there a procedure to
electronically disable any ID code/
password that has been potentially
compromised/lost?
User IDs/passwords can be
disabled if they are suspected of
having been compromised/lost per
SOP XXX.
Yes/No
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Table XII: Outside systems breech/hacking.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is there a procedure to detect
attempts at hacking and inform
security (primarily by the audit trail
feature after the fact)?
Hacking can be detected and is
acted upon by reviewing IT or
advanced security logs daily.
Yes/No
Attachment #
Is there a procedure for reporting
repeated or serious attempts at
unauthorized use to management
(could be by means of audit trail
review or user SOP)?
Attempts at unauthorized use
(see above) are documented and
reported to management (describe
method).
Yes/No
Attachment #
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156870_IVTJVT1112_022.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
gxpand jv t .com Journal of Validation technology [Autumn 2012] 23
John E. Lincoln.
AN IMPORTANT CAVEATA company may believe and proclaim that it is not
using electronic records and/or electronic signatures.
It may base this on the fact that its SOPs define that
controlled records are paper documents with manual
signatures, and those hard copies are routed for
approval and used for cGMP actions and retains/files.
However, the real test is how records are actually being
used to make cGMP decisions in the company. FDA
consumer safety officers (CSOs)/auditors have been
seen observing company personnel using their com-
puter screen to pull up records and SOPs and then
make cGMP decisions from that image. If this is the
companys practice, even if they are controlling hard
copies and state that in their SOPs, the auditor will
rightly conclude that an e-record is being used and
expect to see 21 CFR Part 11 validation performed.
CONCLUSIONThe use of electronic records and electronic signa-
tures is increasingnot just in regulated industries.
These types of issues will be seen in all industries that
require legally binding documentation. Most profes-
sionals already deal with encrypted transactions on
the Internet and hope that companies have similar
systems in place to ensure integrity versus the grow-
ing danger of identity theft. The type of information
and verification/validation required in 21 CFR Part
11 will be replicated and expanded upon worldwide,
not only in medical products, but in finance, legal,
and all business entities desiring a viable global busi-
ness model. JVT
Table XIII: Loss management.
Action Initiated Expected Outcome Meet OutcomeVerified By
Initial & Date
Is loss management defined/
practiced for lost or stolen devices
(only by user SOP)?
Loss management of any
applications-accessible devices is
practiced (describe).
Yes/No
Attachment #
Is there a procedure to
electronically disable a device if
its lost/stolen/compromised (by
password access/user alternative)?
Describe any method to disable a
compromised device.
Yes/No
Attachment #
Are there controls for issuance
of temporary and permanent
replacements?
Describe any controls in the
issuance of temporary or
permanent replacement devices.
Yes/No
Attachment #
Is there initial and periodic testing
of tokens/cards?Describe or N/A N/A
Does this check for unauthorized
alterations?Describe or N/A N/A
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ES156882_IVTJVT1112_023.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
24 Journal of Validation technology [Autumn 2012]
Device Validation Forum.
i v t ne twork .com
GLOSSARY
Black box Review/verification of software algo-
rithm/coding by observing the soft-
wares operation of the hardware, with-
out access to the actual software code,
as opposed to white box or glass
box testing (see white box below)
CDRH Center for Devices and Radiological
Health
cGMPs Current good manufacturing practices
(for devices it is 21 CFR Part 820)
CFR Code of Federal Regulation
COTS Commercial off-the-shelf software
CSO Consumer safety officer (i.e., the FDA
compliance auditor)
ERP Enterprise resource planning
FDA The United States Food and Drug
Administration
ISO International Standards Organization
IT Information technology
IQ Installation qualification
OS Operating system
OQ Operation qualification
PQ Performance qualification (generally
three or more as needed by inherent
system inputs, et al, variability)
QA Quality assurance
RA Regulatory affairs
R&D Research and development
SOP Standard operating procedure
SRS Software requirements specification
V&V/V[T]&V Verification [Testing] and Validation
White box Code review for logic and adherence to
conventions with no observable prob-
lems (same as glass box review).
ES156878_IVTJVT1112_024.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.