Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CERF ELN, 21CFR11 Analysis and Compliance


Published on

This slideshow analyzes the 21CFR11 requirements with respect to CERF ELN by Lab-Ally, and justifies how CERF ELN is compliant with the requirements. The reader should expect to gain information about 21CFR11 requirements, CERF functionality and customization.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

CERF ELN, 21CFR11 Analysis and Compliance

  1. 1. CERF Electronic Lab Notebook (ELN) 21 CFR 11 Compliance Created by
  2. 2. Contents • Background of 21CFR11 • CERF design around 21CFR11 • Code of Federal RegulationsTitle 21, part 11 • Subpart B—Electronic Records • 11.10 Controls for Closed Systems • 11.30 Controls for Open Systems • 11.50 Signature Manifestations • 11.70 Signature/record linking • Subpart C –Electronic Signatures • 11.100 – General Requirements • 11.200 – Electronic signature components and controls • 11.300 – Controls for identification codes/passwords
  3. 3. Background • 21 CFR Part 11 published in 1997 • Does it apply to you? • Medical Device • Pharmaceuticals • Biologics • FDA published Guidance for industry in 2003  describes how 21 CFR should be implemented • In July 2010 FDA announced that compliance with Part 11 would be part of routine quality inspections • Electronic Lab Notebooks used to organize data for medical devices, pharma, or biologics should address 21 CFR 11
  4. 4. CERF Electronic Lab Notebook 21 CFR 11 Compliant • Collaborative data and document managing solution • IQ,OQ,PQValidation Packages available • Ultra-long-term storage of files, records and resources • Semantic traceable metadata • Used by • Pharma companies, Medical DeviceCompanies • Academia • When used in regulated environments CERF must be compliant • For more about CERF click CERF 5.0,Why CERF?
  5. 5. 21CFR11 Analysis of CERF ELN feature set and data management technologies
  6. 6. Controls for Closed Systems...
  7. 7. 11.10 (a) • “Validation of systems to ensure accuracy, reliability, consistent intended performance, and ability to discern invalid or altered records.” • CERF internallyValidated at software release • IQ,OQValidation Package ensures consistent intended performance • CERF tracks all document changes, versions documents
  8. 8. 11.10 (b) • “The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.” • Print to PDF and Print toWord Functions allow exporting of records for review. • Records are readable and reviewable • Notebooks also exportable in .xml
  9. 9. 11.10 (c) • “Protection of records to enable their accurate and ready retrieval throughout the records retention period.” • Records stored in MySQL database • All document changes are tracked, users cannot directly modify or delete records in CERF, all actions are mediated(and recorded) through CERF server • Documents retrievable at any time given appropriate user permissions
  10. 10. 11.10 (d) • “Limiting system access to authorized individuals.” • Each username has affiliated workgroup privileges for • Record access • Signature permission • Record modification access • template access • Users may not have multiple sessions open at one time
  11. 11. 11.10 (e) • “Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records...” Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.” • CERF captures audit trail information any time data is created, modified or deleted • Creation data/time • Modified date/time • Username, object which modified • Action taken, new content
  12. 12. 11.10 (e) cont. • “...Record changes shall not obscure previously recorded information...” • All previous metadata is saved with each record version, and no previously recorded information is deleted or obscured
  13. 13. 11.10 (e) cont. • “...Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.” • CERF audit trail records are available for the lifespan of the CERF server deployment
  14. 14. 11.10 (f) • “Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.” • User must log in and remain in a session to alter records • CERF has record Check-Out and Check-in so only certain users may modify at a time • Customizable business policies to fine tune workflows
  15. 15. 11.10 (g) • “Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.” • Business Policies define log in log out workflows, signature workflows, record alteration access • Only the system admin will have access to the host server hardware and operation system, admin also defines business policies
  16. 16. 11.10 (h) • “Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.” • CERF Desktop Clients act as appropriated device to access CERF server • Desktop clients must be configured for specific CERF servers
  17. 17. 11.10 (i) • “Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.” • Organizations must ensure their users are qualified. USER DEPENDENT
  18. 18. 11.10 (j) • “The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.” • Organizations must establish their own written policies for CERF usage of electronic signatures. USER DEPENDENT
  19. 19. 11.10 (j) • “The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.” • Organizations must establish their own written policies for signature workflow. USER DEPENDENT
  20. 20. 11.10 (k) • “Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.” • CERF administrators have the highest level control of CERF, organizations are responsible for assigning and maintaining administrative roles, as well as CERF documentation USER DEPENDENT
  21. 21. 11.10 (k) cont. • “Revision and change control procedures to maintain an audit trail that documents time sequenced development and modification of systems documentation.” • Organizations are responsible for the ways in which they organize records in CERF, however Lab-Ally provides system operation and maintenance documentation. USER DEPENDENT
  22. 22. Controls for Open Systems...
  23. 23. 11.30 • “Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures, e.g., document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality” Not Applicable • CERF is a Closed System • CERF supports technology for open implementation • encryption
  24. 24. 11.50(a) - Signature manifestations • “Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1)The printed name of the signer; (2)The date and time when the signature was executed; and (3)The meaning (such as review, approval, responsibility, or authorship) associated with the signature.” • CERF signatures contained full printed name, date/time of signature, the signature meaning, the role of the signer, and any comments provided.
  25. 25. 11.50(b) • “The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records, and shall be included as part of any human readable form of the electronic record (such as electronic display or printout)” • Electronic signature records are secure from unauthorized access, can be displayed or printed
  26. 26. 11.70 – Signature/record linking • “Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.” • Once signature is established on resource, irrevocable link is established between signature and object. It cannot be altered
  27. 27. Subpart C – Electronic Signatures
  28. 28. 11.100(a) – General requirements • “Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.” • CERF enforces uniqueness of username and password combination • Digital Signature password required for signing
  29. 29. 11.100(b) • “Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual” • Organizations must verify their members to assign them digital signatures USER DEPENDENT
  30. 30. 11.100(c) • “Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1)The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. ” • Organizations must verify their CERF users who will use electronic signatures USER DEPENDENT
  31. 31. 11.200(a)(1) – Electronic signature components and controls • “Electronic signatures that are not based upon biometrics shall: Employ at least two distinct identification components such as an identification code and password.” • CERF requires a user id and password
  32. 32. 11.200(a)(1)(i) • “When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.” • CERF requires initial login, and is required to provide digital signature password during each signing
  33. 33. 11.200(a)(1)(ii) • “When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.” • CERF requires initial login, and is required to provide digital signature password during each signing
  34. 34. 11.200(a) • “Electronic signatures shall: (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.” • CERF user ids, passwords, and digital signature passwords, are unique and known only to the individual users • CERF allows a peer review signature workflow that requires multiple individuals users to input their signature password
  35. 35. 11.200(b) • “Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners” • Biometric devices and software is outside of CERF scope. Customized solutions may be available for CERF. USER DEPENDENT
  36. 36. 11.300 - Controls for identification codes/passwords “Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.” • CERF enforces unique user id and password combinations • No duplicate user id • Password control is customizable per business policies
  37. 37. 11.300(b) “Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)” • CERF supports password aging • Business policies can set • Period of time between password renewal • Uniqueness of new password
  38. 38. 11.300(c) “Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.” • CERF does not use identification devices • Administrator has ability to disable user accounts, and reset password • User must immediately modify password upon first log-in USER DEPENDENT
  39. 39. 11.300(d) “Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.” • Customizable safeguards • No. of password attempts before account disable • Account time-out after inactivity • Only one session per user • Admin has access to logs detailing user log in activity
  40. 40. 11.300(e) “Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.” • CERF does currently not use identification devices or tokens • Lab-Ally offers IQ,OQ,PQ validation of CERF to ensure proper function USER DEPENDENT
  41. 41. Is 21CFR11 the only rule set a regulated organization should worry about? • By itself 21CFR11 includes many safeguards that are required by FDA regulated studies but anyone working in a regulated environment should also strive to follow other best practice guidelines such as • ALCOA-PLUS • Good Documentation practice (GDP) • ISO 15489 and related standards
  42. 42. Is CERF fully 21CFR11 compliant “out of the box” • A common misconception related to data management software is that is can be “validated” as 21CFR11 “out of the box”. In fact, no system should be considered fully compliant until it has been validated by a suitably qualified expert in-situ. Compliance involves a range of factors such as user training, and behavior patterns, IT oversight, system configuration and more that can ONLY be determined once the product has been deployed on site.
  43. 43. Conclusion • For ELNs in industry, 21CFR11 compliance is necessary • Computer SystemValidation also often necessary, Lab Ally offers IQ,OQ,PQ Validation packages • CERF ELN is a robust system designed with 21CFR11 in mind • CERF is compliant with 21CFR11, dependent on organizational choices , as detailed by the requirements demarcated with the text “USER DEPENDENT” • Compliance with 21CFR is necessary, and aids in data organization, organization efficiency, and enhances industry standards. • Thank you for viewing this presentation. Please contact Lab-Ally for any questions, concerns, or inquiries.
  44. 44. References • “Title 21, Chapter I, Subchapter A, Part 11.” Electronic Code of Federal Regulations, FDA, 14 May 2018 t=11 • “CERF 21 CFR PART 11 COMPLIANCE.”, Lab Ally, 2016, cerf- http://cerf-