Electronic records/signatures security

The supplier must not only be able to show that there is a QMS but also that it is actively used. SAP manages quality management documents and quality item lists electronically and thus ensures that employees have constant access to the most up-to-date information. Because it is managed electronically, it is possible to construct automatic workflows to ensure that the process steps prescribed are followed. It is important to note that suppliers do not have to conform with U.S. 21 CFR 11 governing the use of electronic records and signatures. Customers should nevertheless expect suppliers to ensure that electronic records are secure and that their integrity cannot be compromised by data corruption or unauthorized manipulation. 

CFR - Part 11 means that you must be qualified to do your work, your programming must be validated, you must have system security in place, and you must have change control procedures for your SAS programming. The current additional FDA guidance on 21 CFR - Part 11 is titled Guidance for Industry Part 11, Electronic Records Electronic Signatures—Scope and Application. ... 

CFR11 is a U.S. regulation requiring security of electronic records and electronic signature requirements. It applies to... 

Automated dissolution equipment in most cases must be compliant with the FDA electronic records and electronic signatures regulation (21 CFR Part 11). The requirements of the regulation include use of validated systems, secure storage of records, computer generated audit trails, system and data security via limited access privileges, and the use of electronic signatures. 

All aspects of the electronic records and electronic signature systems in place have been designed to provide a level of security and control equal to or exceeding the equivalent controls inherent to manual (paper) systems. This equivalency principle provides evaluative criteria for all electronic signatures. There is not a mandate to make a system perfect, error-free, or completely hacker-proof, although these are all appropriate ultimate goals rather, sufficient controls are required to assure that an electronic system is as secure or more secure than an equivalent manual system. 

Requirements for electronic records and electronic signatures [13-15] System security, data integrity, traceability, and data archive/retrieval. 

In addition to testing the system components, a test of software functionality would be performed to test the system software operation and electronic records and electronic signatures (ERES) compliance (security, data integrity, data backup, and archive). In order to test the software functionality, a predetermined set of instructions can be entered step by step into the system. The system responses are then compared to the expected outcomes of the instruction and any problems with the execution are determined. Some vendors will provide a standard set of data which can be processed by the system to verify the data-handling capability of the system. 

CFR Part 11 Electronic Records and Electronic Signatures (ERES) system security, data integrity and tracibilty, audit trail, and archive... 

The security strategy selected has to ensure that cells containing formulas (on purpose, by mistake, or by the auto-save function) of the spreadsheet cannot be overwritten. In today s standard office network environment, in some cases, the network itself is, not validated and does not fulfill the electronic record/electro-nic signature requirement. Therefore, the validated spreadsheets should be stored in a protected drive to which only restricted personnel have access. Furthermore, the server used for storage/handling should be qualified. Figure 18.7 is an example. 

Electronic record/electronic signature. Currently, requirements concerning ER/ES according to FDA 21 CFR Part 11 cannot be implemented with Excel spreadsheets. Concerns include file protection, security, user access, audit trail, version retention, file deletion or erasure, electronic signature(s), and network issues. These can be resolved using a hybrid system, an electronic version of the spreadsheet and an approved hard copy. After data entry (and subsequent to... 

Compliance assessments for computer systems are performed periodically, based on the applicable predicate regulatory and Part 11 requirements. These assessments must be performed in order to identify any functional gaps, and/ or procedural gaps, which may be present for each computer system implemented. The analysis will determine if operational, maintenance or security controls, specific to the system, provide a controlled environment ensuring the integrity of the electronic records and/or signatures as stated in the regulatory requirements. Additional information can be found in Chapter 19. 

Electronic signatures security The system should be able to identify changes to electronic records in order to detect invalid or altered records,... 

As a result of the fundamental principles above, all computer systems performing regulated operations must protect their electronic records by means of access controls, audit trail controls, and Part 11-associated operational checks. For those computer systems that implement electronic signatures, the security and control of electronic signatures must also provided. 

The evaluation of computer systems performing regulated operations is the first phase to achieving an organized, prioritized, and balanced Part 11 Remediation Project approach. The objective of the evaluation is to identity the system s functional and/or procedural gaps results of the evaluation will determine whether the operational, maintenance, or security procedures specific to the system will provide a controlled environment, which ensures the integrity of the electronic records and/or signatures as stated in the Part 11 requirements. 

Europe issued its own directive on electronic signatures in 1999." Although originally developed for e-commerce, it is also applicable to GDP and GMP apphcations. The MCA is clarifying the scope of its use for GCP and GLP apphcations, and at least a minimum degree of applicability is certain. European regulatory authorities refer to ISO 17799 on information security management" and reference to advice on the admissibility of electronic records." ... 

Systems such as Manufacturing Execution Systems (MES) or Electronic Batch Record Systems (EBRS) that rely upon electronic identification of individuals should ensure that electronic identification/signatures are secure from abuse and falsification and that substitutes for handwritten signatures should nonetheless be as secure as conventional handwritten signatures. ... 

Logical security controls should be applied to all chent PCs containing GxP applications and electronic records. Security controls should conform to electronic record and electronic signature requirements. Such controls include (but are not hmited to) ... 

Since August 1997, the FDA has been enforcing 21 CFR 11 [4] in order to tackle the long debated issue of electronic signatures and electronic records. The requirements for electronic records are to ensure that they are as secure and capable of audit as paper records. It must be possible to identify valid and invalid records, with any changes followed in the correct sequence with the... 

W. Winter and L. Huber, Implementing 21CFR Part 11 Electronic Signatures and Records in Analytical Laboratories, part 2, Security Aspects for Systems and Applications, BioPharm 13(1), 44-50, 2000. 

---