Introduction
The purpose of this document is to describe how PANalytical systems support system owners meeting the requirements of the 21 CFR Part 11 regulations issued by the United States’ FDA (Food & Drug Administration).
Design and development of PANalytical systems is done according to ISO9001:2008 and ISO14001:2004 certified processes and procedures. These formalized processes and procedures include standards for all aspects of the development process, used in each project and safeguarded by PANalytical’s quality control organization.
Integration of PANalytical systems in a 21 CFR Part 11 compliant laboratory environment was straightforward because PANalytical offers tools and services to guarantee authenticity, integrity and confidentiality of electronic records and electronic signatures. Also the final system qualification is supported with products and services.
Complete traceability and reproducibility is guaranteed in terms of experiment, operation (automatic audit trail generation) and analysis (complete history with all parameters used to achieve the analytical results).
The proper set-up of the operating system Microsoft (MS) Windows and network tools provide security while the audit trail software detects if electronic records are made invalid or changed, guaranteeing tamperproof data.
PANalytical also offers system validation support, comprising products for installation qualification (IQ) and operation qualification (OQ), and support for design qualification (DQ) and performance qualification (PQ).
PANalytical systems
This document is applicable to the following software herein to be referred to as PANalytical software platforms:
All PANalytical systems are closed systems according to FDA’s definition and are subject to the controls as defined by the FDA.
A closed system is (21 CFR Part 11 Section 11.3) “an environment in which the system access is controlled by persons who are responsible for the content of electronic records that are on the system”.
About controls for closed systems (21 CFR Part 11 Section 11.10): “Persons who use closed systems to create, modify, maintain or transmit electronic records shall employ procedures and controls designed to ensure authenticity, integrity, and when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine”.
System security
The access security is a two-stage process, since the user first logs on to the PC and next to the operating software of the system.
The following security events are saved into the Enhanced Data Security (EDS) software module login/logoff, start/ stop instrument sessions and security alarm events. Additionally in the Alarm Monitor an alarm is generated after three failed attempts for each security or signature event.
PANalytical uses the MS Windows user name and passwords. Password length, expiration period, etc. are subject to the role of the user. Compliance with 21 CRF Part 11 makes the system owner responsible for a number of duties, these are: proper operating system configuration, putting backup and disaster recovery procedures in place and setting up and maintenance of a Standard Operating Procedure (SOP). PANalytical gladly offers support to help you achieve this.
MS Windows security policy set-up. Where needed the software modules provide privilege levels, depending on the role of the user.
Audit trail and traceability
Experimental traceability is a very important requirement for a proper analysis process. To guarantee this, each experimental parameter regarding the sample, the instrument and its settings must be saved with the measured data. Analytical traceability goes one step further and each analysis parameter must be saved additionally. Process traceability gives the complete picture and additionally should be saved who did what, when and why. PANalytical XRF software platforms satisfy all the above criteria. The audit trail records contain data about process, security and electronic record traceability.
The following events are saved as audit trail records: application login/logoff, unauthorized attempts handling, start/ stop instrument sessions, and new/ changed electronic records. The Enhanced Data Security (EDS) audit trail database contains the following data, if applicable: event type, user ID, full (printed) user name, date/time (including UTC offset), electronic record identification, additional data such as sample name and sample ID. The EDS audit trail software is always active and cannot be bypassed. The reporting functionality of the EDS software ensures reliable copying and readability by the FDA.
Electronic records
The FDA defines in 21 CFR Part 11 electronic records as: “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system”. In PANalytical XRF systems, electronic records comprise of measurement data and analysis data. All the records are stored in a database.
Reports can be stored in csv file formats. In addition, LIMs-optimized human-readable data formats can be automatically forwarded for safeguarding and processing. The readability of all electronic records and report files by public domain software or by the analytical software is guaranteed throughout the minimum required retention period as valid for the subject electronic records.
The electronic records contain the complete history including all parameters, for repeatability and traceability purposes.
The database that contains all electronic records can be protected from both modification and deletion using the MS Windows file security mechanisms. Backing up and archiving can be done with any common tool made for this functionality.
Electronic signatures
Electronic signatures
PANalytical has implemented nonbiometric signatures. Both user name and full (printed) user name are included, as well as the date and time (including UTC offset) and the meaning of the signature (for example: data measured, approved). The identity of the signer is checked at each signing. Each signing is stored in the EDS audit trail database.
All sessions are treated as continuous sessions on the condition that the PC is not idle for a pre-defined period of time. This means that only the password has to be given, while the system assumes that the same user is operating it.
Requirements checklist
The tables Super Q, Epsilon 3, Epsilon5 list the specific sections and requirements of the 21 CFR Part 11. For each FDA requirement it is explained how this requirement is implemented in PANalytical XRF systems.
SuperQ
Epsilon 3
Epsilon 5
Abbreviations
ASCIIAmerican Standard Code for Information Interchange
CFRCode of Federal Regulation
CSVComma separated values
DQDesign Qualification
FDAFood & Drug Administration
G*PGood Laboratory/Manufacturing/Automated Manufacturing/etc. Practice
IQInstallation Qualification
ISO International Organization for Standardization
LANLocal Area Network
MSMicrosoft
PCPersonal Computer
PDFPortable Document Format
PQPerformance Qualification
OQOperation Qualification
RTFRich Text Format
SOPStandard Operating Procedure
UTCUniversal Coordinated Time
Glossary
Terminology Meaning
Audit Trail System System that keeps track of the history of events for security checks and reporting purposes.
Biometrics
A method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.
Closed system
An environment in which the system access is controlled by persons who are responsible for the content of electronic records that are on the system.
Digital signature
An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
Electronic record
Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
Electronic signature
The scripted name or legal mark of an individual, handwritten by that individual and executed or adopted with the present intention to authenticate writing in a permanent form.
Instruction sets
Pre-defined sequences of actions or sets of parameters, including measurement programs, automatic processing rules, user batches for automatic analysis and report templates.
Open system
An environment in which the system access is not controlled by persons who are responsible for the content of electronic records that are on the system.
Operating system
Microsoft Windows (or MS Windows): Windows XP or Windows 7.
Standard operating procedure
A set of standards dedicated to a specific topic. This will define the explicit method(s) to be followed in accomplishing a designated task.