Datastream 7i: 21 CFR 11 Compliance – Features that Meet and Exceed Requirements
Datastream 7i: 21 CFR 11 Compliance
Features that Meet and Exceed Requirements
Datastream 7i and 21 CFR 11 Compliance
In August 1997, the United States Food and Drug Administration (FDA) issued a set of regulations entitled 21 CFR 11 (Title 21 of the Code of Federal Regulations, Part 11). “These regulations, which apply to all FDA program areas, are intended to permit the widest possible use of electronic technology, compatible with the FDA’s responsibility to promote and protect public health.” The regulations set standards for systems containing electronic records and electronic signatures and standards for the use of such systems with respect to the release of safe consumables into the marketplace.
With the inception of these regulations and the initiation of FDA enforcement, affected businesses have scrambled to acquire automated systems that can stand up to the scrutiny implied by the stringent FDA requirements. Such businesses have met with mixed success – primarily because of uncertainty with respect to the actual regulation provisions and because of false claims made by vendors about the regulatory compliance of their products.
Datastream as a company committed early in the process to develop features and characteristics in its flagship Asset Performance Management product, Datastream 7i, that meet or exceed all specifications found both in 21 CFR 11 and in its predicate rules – “predicate rules” being previous FDA regulations that are implicitly referenced by 21 CFR 11. In developing such operational strengths, Datastream used 21 CFR 11 article-by-article as the basic guideline to ensure that Datastream 7i passed muster for each and every regulatory demand. The result is the most solidly compliant Asset Performance Management application on the market. Appendix 1 to this paper lists each article in 21 CFR 11 – and demonstrates how Datastream 7i attains compliance.
Exceeding Requirements
Not only does Datastream 7i comply with 21 CFR 11 requirements; in several areas of critical interest the application substantially exceeds the regulation. In surpassing FDA requirements, Datastream 7i offers greater system flexibility, more user and administrative convenience, and superior operational security for process areas of greatest concern. Examples of these excellent features include:
Ø CGMP Asset Designation – The system allows the designation of equipment as being cGMP (Current Good Manufacturing Practices) Critical. This means that the equipment has an effect on product quality, safety, and/or potency and must be maintained with particular care. Subsequently, the system can be set to generate Electronic Records for work performed on cGMP equipment only. This reduces Electronic Record administration because maintenance on non-cGMP equipment does not generate such records.
Ø PM Revision Control – Datastream 7i permits the set-up of approver groups that review all changes to Preventive Maintenance (PM) templates, equipment routes, material lists, and task lists before the system will allow these items to become active. This feature is important because Preventive Maintenance is the cornerstone of cGMP maintenance. As such, the PM process must be safeguarded and scrutinized more thoroughly than other routine maintenance.
Ø Inspection Revision Control – Similar to PMs, Datastream 7i Inspections are protected by Revision Control so that sensitive inspection procedures, set points, and inspection routes cannot be changed without thorough review. This feature adds an extra measure of safety in this crucial maintenance area.
Ø Calibration – Calibration is one of the few specific m aintenance tasks mentioned in the context of 21 CFR 11. Datastream 7i offers a full-service calibration program tailored for the FDA -monitored business. This calibration functionality and reporting package was designed with the assistance of some of our pharmaceutical industry customers so that its operations are fully compatible with FDA-compliance issues.
Ø Qualification/Certification Registry – Often a task requires a worker who has special skills, training, or certifications. Datastream 7i offers a registry where documentation of such person-specific capabilities may be recorded for an employee. Such a logging tool is useful enough, but Datastream 7i goes much further. When generating work items, a planner can actually specify skills, certifications, or training required to perform an activity. The system can restrict who may be assigned to perform that activity based on a list of employees who have the required qualifications. This additional safety feature helps ensure the highest quality asset performance management and is especially well-fitted for a highly regulated environment.
These enhancements contribute significantly to safe, efficient, and effective business processes while continuing to support the principles of FDA oversight.
Validation
Validation is a crucial concern for FDA -monitored businesses. In essence, validation is proving that an application reliably performs in the exact manner for which it was designed. This may sound simple, but in reality companies sometime expend huge amounts of resources – in time, people, and funding – in order to execute and document system validation.
Note the wording of that last sentenc e. It states that “companies” expend effort to validate. Many software vendors tell prospective customers that their applications are already “validated.” This is deceptive. No application is validated out-of-the-box – including Datastream 7i. Validation depends a great deal upon how a customer sets up and uses an application. In addition, some vendors claim that they will validate their application for the customer. Once again, this is contrary to FDA intent – because a vendor has a vested interest in executing a successful validation – even if such validation fails to meet FDA standards. Validation should be performed and documented by the customer or by a neutral third party. There are numerous consulting firms that specialize in system validation. This ensures objective evaluation of each validation point and provides for a validation process that will fully support FDA review.
Datastream 7i has been validated by numerous customers at numerous sites. The system is so well designed and documented that Datastream 7i has never had difficulty receiving prompt validation by our customers – affirmed by FDA audits and inspections.
Conclusion
Datastream is committed to superior asset performance management service within the context of FDA regulation and monitoring. We go beyond empty claims of compliance and seek to provide our regulated customers not only with compliant applications, but also with functionally robust, flexible, and powerful solutions to their asset performance management needs.
ABOUT DATASTREAM
Datastream (NASDAQ: DSTM) provides Asset Performance Management software and services to enterprises worldwide, including more than 65 percent of the Fortune 500. Datastream’s solutions combine world-class asset management functionality with advanced analytics to deliver a powerful platform for optimizing enterprise asset
performance.
By using Datastream’s solutions, customers maintain and manage capital assets – such as manufacturing equipment, vehicle fleets and buildings – and to create analyses and forecasts so they can take action to improve future performance. Datastream’s flagship product, Datastream 7i, delivers a complete Asset Performance Management infrastructure by combining Internet architecture with broad enterprise asset management functionality, integrated procurement, advanced analytics and multi-site capability.
Datastream was founded in 1986 and has customers in more than 140 countries. For more information, visit www.datastream.net .
>www.datastream.net
50 Datastream Plaza
Greenville, SC 29605
1.800.955.6775 (US and Canada)
1.864.422.5001 (Direct)
© 2004 Datastream Systems, Inc.
Reprinted with permission from from Datastream Systems, Inc.
All brand names, product names, and company names mentioned in this document are trademarks, registered trademarks, or service marks of their respective owners.
APPENDIX A: 21 CFR 11 Compliance Outline
Title 21 Code of Federal Regulations Part 11
ELECTRONIC RECORDS & ELECTRONIC SIGNATURES
Subpart B – Electronic Records
Section 11.10 – Controls for Closed Systems
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
Datastream 7i has been validated successfully by several customers under the guidelines of 21 CFR 11. With reference to detecting invalid/altered of records, Datastream 7i’s Datalock feature flags any Electronic Record that has been changed from the back-end of the system – essentially monitoring the heart of the system database for unauthorized tampering of electronic records. The system provides a report that notes any record that has been flagged as having been tampered with. Datastream 7i is the only asset performance management application applying such back-end monitoring.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
All electronic records, with signatures where applicable, are available both on-screen and in printed reports. All electronic records can be exported to an external electronic file suitable for inspection and transmittal to FDA. File transfer formats include PDF and Spreadsheet.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
Datastream 7i is built using the Oracle or MS SQL database structure and is a completely scalable solution limited only by customer hardware memory. This means it is not necessary to ‘archive information’ – this places all data immediately available to the customer for reporting and analysis purposes. Records are protected from tampering and are maintained ready for retrieval at all times. In addition, all data is maintained through system upgrades.
(d) Limiting system access to authorized individuals.
Datastream 7i system access is restricted to only authorized users. Security for Datastream 7i is extremely flexible. User access to individual screens is controlled by User Group membership – as is a user’s ability to query, insert, update, or delete records. The ability to change the status of a record is controlled at the User Group and individual User level. All changes to security setups are limited to the System Administrator and can be tracked with the audit trail.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
The Datastream 7i audit trail captures the date/time of the event, the type of event (insert/update/delete), the exact record that was involved, old and new record values, and the identity of the user involved. Additional information is also captured. Audit trail trigger items can be selected by customer upon implementation and can be adjusted to meet any existing or anticipated cGMP needs. In addition, the date/time stamp reference value is always specified by the system based upon customer initial system settings – therefore time stamp definition is always known – even in a multi-time-zone scenario.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
Workflows can be defined that enforce steps to take place in certain predefined orders. This is done by adopting customer business process flow through its specific sequence of item status changes (Approval Chain, for example). In addition, specific users and/or user groups are granted selected status from/to change authority. This further limits who can do what in selected process flows and enforces sequential operations executed by included users. All changes to these setups can be tracked with the audit trail.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Security for Datastream 7i is extremely flexible. Customer specifies screens accessible to individual, what tabs on accessible screens are available, what operations may be performed on accessible screens (insert/update/delete/query), and what kind of information can be viewed. System permits segregation of information access by department. System permits segregation of job execution by users by Work Order Type. All changes to these setups can be tracked with the audit trail.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
Datastream 7i does not offer any kind of special enforcement for external devices. However, a user must be properly authorized for the data entry operation in question before the system will permit such an operation to affect the system database. Such operations can fall under the system audit functionality. In addition, Datastream 7i does support the employment of various third-party methods of “hard authentication” including certificate formatting, tokens, physical keys, and the like.
(i) Determination that persons who develop, maintain, or use electronic record /electronic signature systems have the education, training, and experience to perform their assigned tasks.
For Datastream, all persons involved with developing, upgrading, and installing Datastream 7i have been thoroughly trained. Training records and certifications are available for customer review/audit. In addition, Datastream implements a complete, company-wide training regimen specifically designed to provided tailored training (based on product responsibilities) on 21 CFR 11, 210, 211, and 820.
The burden of this requirement for training users, however, falls on the customer. It is incumbent upon the customer to ensure quality training for all Datastream 7i users. Datastream certainly can provide system training that is tailored to individual customer (and user) needs. Datastream maintains detailed training records for all employees involved in the development of our software and of customer personnel receiving Datastream-provided training.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
This requirement refers to customer internal Standard Operating Procedures and internal security policies. Datastream can assist the customer in generating such documentation.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system ope ration and maintenance.
For Datastream, critical documentation relative to Datastream 7i development and testing falls under strict version control. In addition, only persons with specific authorization have access to such documentation. Version control records are maintained in ready-for-audit condition at all times.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
Datastream documentation with respect to Datastream 7i development and quality assurance testing is kept under strict version control. This record keeping has successfully passed customer audits and reviews. Customer-generated documentation administration must contain provisions for recording changes in an auditable manner.
Section 11.30 – Controls for Open Systems
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in Sec. 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
With respect to Datastream’s hosted solution (which could be viewed as an “open” system) and to Internet operation of the system, Datastream 7i makes use of SSL (Secure Socket Layer) technology for the transmission/exchange of encrypted data between the customer site and the hosting facility. For use with Datastream’s hosted solution, a user must attach a personal identification device to the USB port to enable operations. Other means of applying “hard” user authentication may also be employed. Access to hosted customers’ data is strictly limited to the absolute minimum number of trained personnel. Datastream’s Hosted Data Center falls under the most stringent physical and procedural security measures in the industry. In addition, the only access point to such data outside the Data Center is from the secure Network Operations Center at Datastream headquarters.
Section 11.50 – Signature Manifestations
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
When Datastream 7i is configured to capture an electronic signature for a certain event, it prompts for the User ID, Password, and the reason (meaning) for the signature (authoring, approval, review, etc.). When this electronic signature is viewed on an electronic record, the signer’s name, date/time of the signature, and the reason for the signature is displayed. This same information is provided in printed media as well. This information is a permanent part of the associated record and is subject to auditing.
Section 11.70 – Signature/Record Linking
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
Electronic signatures are linked with associated records being signed for: both the record and the associated signature are stored in the same database table to ensure the closest verifiable linkage possible. The Datastream 7i feature known as Datalock ensures that an electronic signature cannot be modified or copied for use on a different record without that record being flagged as tampered.
Subpart C – Electronic Signatures
Section 11.100 – General Requirements
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
Datastream 7i enforces the uniqueness of all user signatures. This is based upon the User ID being the Primary Key for this function. As such, the User ID is unique and cannot be reassigned or deleted.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC -100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature.
These requirements fall under the responsib ility of general customer administration of electronic signatures and the employees who use them.
Section 11.200 – Electronic Signature Components and Controls
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
Datastream 7i uses User ID and Password as the unique identifier.
(a)(1)(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(a)(1)(ii)When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
Datastream 7i requires that the User ID and Password are both entered on the first signing. The password must be entered on subsequent signings if the process is uninterrupted. Else, both user ID and password must be reentered.
(a)(2) Be used only by their genuine owners; and
(a)(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
These items fall under the customer’s policies and training with regard to system access.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
Datastream 7i does not currently provide any specific support for biometric-based Electronic Signatures.
11.300 – Controls for Identification Codes/Passwords
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
Datastream 7i uses User ID and Password as the unique user identifier. No two users can have the same User ID.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
Datastream 7i has a global settin g that specifies the maximum number of days that may pass before a user’s password must be changed. In addition, the system provides a global setting that specifies the minimum number of days that must pass before any user’s password may be reused. The system “remembers” all password histories and enforces this required time lapse regardless of the frequency of password change.
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
This requirement falls primarily upon customer standard operating procedures. The Datastream 7i system administrator has the capability of disabling a user’s Password and/or ID as needed to ensure that only properly authorized users have access to the system.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or ID Codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, to organizational management.
Datastream 7i provides a global setting to specify how many unsuccessful log-in attempts (ID/Password mismatch) are allowed before the user is locked out of the system for a period of five hours. In addition, all ID/Password mismatches are recorded in a Violation Log. The system can be set up to provide e-mail/pager notification whenever such a security violation occurs.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
Initial testing of security devices used for facilitating system access is part of the implementation of Datastream 7i. Subsequent testing of such devices is determined by the customer’s standard operating procedures.
