Q-Pulse for electronic records and signatures: FDA 21 CFR Part 11

23 December 2020

eqms-for-electronic-records-and-signatures.jpg
Q-Pulse for electronic records and signatures: FDA 21 CFR Part 11

Share this

It's hardly surprising many life science companies find complying with the FDA 21 CFR Part 11 expensive and impractical. Initially attracted by low implementation costs, they get by using 'single-use' applications which are clearly not fit for purpose. 

Tools like SharePoint, Jotform and outdated Lotus Notes systems are still widespread. When using these systems, quality professionals spend their days manually checking records, verifying audit trails, validating the system, chasing departments and carefully coordinating an ever-expanding portfolio of software applications and compliance records.

When submission time comes, they cross their fingers, hoping the auditor will find everything they want to see.  

"I'd feel anxious everything wasn't where it was supposed to be."

Part of the reason life science companies have been slow to adopt integrated electronic quality and compliance management systems is the initial resource investment to validate a system. When investors and management teams want to get a product to market, they don't want to wait. Management becomes focused on the new device or drug which can save or enhance people's lives, and this means compliance checks and regulatory records is something we can fix later.

But implementing an integrated electronic quality management system is significantly less expensive, more practical and less time consuming than your quality managers spending precious working hours completing basic administration work.

Or worse still, risking a rejected submission. 

Here’s how our quality management software, Q-Pulse Cloud, helps you to comply with FDA 21 CFR Part 11 and the FDA’s electronic signatures requirements:

General    
Part 11 reference Requirement Comment
11.10 (a) The system is validated. The scope of validation includes tests and checks, which demonstrate compliance with all applicable parts of FDA Title 21 CFR Part 11. The core system goes through development validation testing. Test records are retained. To comply with the regulation, you must also undertake validation testing once installed and configured.
11.10 (i) Personnel who developed the system are properly trained and have suitable experience. Ideagen has an industry-leading employee training and development programme. Employee on-boarding and recruitment are all assessed, and competency gaps monitored.
11.10 (I)
Personnel who maintain the system are properly trained and have suitable experience.  Ideagen provides training, advice and ongoing support.
11.10 (I) Personnel who use the system are properly trained and have suitable experience. Ideagen provides validation and implementation training to ensure your team are competent to complete internal tests.
Documentation    
11.10 (k) 
(1)
Adequate documentation is available to describe the maintenance of the system.  Manuals, videos, guides and ongoing support are available to help users learn how to configure, use and maintain the system.
11.10 (k)
(2)
Controls are in place to ensure only authorised users see documentation. Advanced control permissions ensure users are only able to see and use specified functionality.
11.10 (k)
(2)
System documentation is produced and maintained under a revision control procedure. All documentation is produced and maintained under a strict revision control procedure and documented in our central management system.
System security    
 11.10 (d) System access is limited to authorised individuals. Access to the system is dependent on the user being registered with a unique username and password.  Q-Pulse has rich access management functionality based on permissions.
11.10 (g) Authority checks are in place to restrict specific system functions to authorised individuals. Access to different areas of system functionality and data sets is provided subject to individuals and groups being given permissions by system administrators.
11.10 (d) An approved procedure which describes the administration of security is available which includes: Add new user, assign user to groups/roles, change user privileges, deactivate user, force reissue of password. Administrator guidance documents which describe how to perform these tasks in the system is provided by Ideagen and training is given. It is the responsibility of the customer to define and document responsibilities and approvals processes.
11.10 (d) To ensure the uniqueness of user IDs, users should never be deleted from the system. Instead, the IDs should be deactivated and retained. Users are made inactive within Q-Pulse and retained records.
Operational checks     
11.10 (f) The system forces a permitted sequencing of steps and events as appropriate. This is system independent and an enforced sequence of operations may not be required. Where permitted users specify sequenced workflows then the system enforces the sequence of events and the individuals mandated to complete them.
Device checks    
11.10 (h)
Device checks are used to determine the source of data or operational instruction. This is system independent and device checks may not be required.  E.g. a standalone system is unlikely to require device checks. The system determines the source of data by user authentication for each session. Users may be device independent.
Electronic records    
11.10 (b)
11.10 (e)
Accurate copies of electronic records (including audit trails) can be made in both paper and electronic form. This is standard functionality within Q-Pulse.
11.10 (b) An approved procedure, which describes the process of making these copies, is available. The procedures for downloading copies of records from the system are described in system guidance documentation. Access to records is controlled and only authorised individuals may access the required functionality and data. Where Ideagen is responsible for system hosting, backups are taken utilising a fast, affordable, multi-platform and reliable Continuous Data Protection and point-in-time recovery solution.
11.10 (e) Electronic records (including audit trails) are backed up on a regular basis. All backups are by default stored and encrypted in a remote and secure data facility. If Ideagen does not provide system hosting services then backup is a customer responsibility.
11.10 (c) An approved procedure, which describes the backup process, is available. Where Ideagen is responsible for system hosting, an approved procedure is in place and is regularly reviewed as part of the ISO 27001:2013 certification. If Ideagen does not provide system hosting services then the backup is a customer responsibility.
11.10 (c)
11.10 (e)
Electronic records (including audit trails) can be archived for long term storage and are fully retrievable. This should be designed to retain the record for the period required by the predicate rule. No closed (completed and approved) records may be deleted from Q-Pulse. Records may be archived and can be retrieved at any time by authorised users. The procedures for downloading copies of records from the system are described in system guidance documentation.
11.10 (c) An approved procedure, which describes the archive and restores process, is available. Access to records is controlled and only authorised individuals may access the required functionality and data. It is the customer’s responsibility to define and maintain procedures and responsibilities which determine which users are granted the required permissions.
11.10 (c) The retention period for the electronic records created by the system are clearly defined. The default retention period is indefinite.
Audit trails    
11.10 (e) Creation, modification and deletion of any electronic record covered by the rule results in the creation of an entry in an audit trail. Q-Pulse has rich audit trail functionality as standard.
11.10 (e) The audit trail is generated automatically by the system. Audit trails are automatically generated by the system.
11.10 (e) Each audit trail entry consists of:
- Operator ID
- Action performed
- New and previous value if the action is modified or updated
- Time and date action occurred 
Each audit trail consists of operator ID, action performed, new and previous values and time/date stamped.
11.10 (e) An approved procedure, which describes the method of maintaining the accuracy of system clocks, which perform time stamping, is available.  This should include the regular synchronisation of system, clocks if appropriate. All system date/time functionality is derived from the system server clocks and is described in MS O/S guidance. Where Ideagen provides system hosting the O/S administration procedures are maintained and reviewed regularly as part of ISO 9001 certification. Where Ideagen is not the hosting provider then O/S administration is the responsibility of the customer.
Electronic signatures and general requirements    
11.10 (j) A written policy is available that holds individuals accountable and responsible for actions initiated by their electronic signature. Records are available to confirm that all electronic signature users have read and understood this policy. Where required, electronic signatures are enforced by the system and include a warning to users that their electronic signature is being recorded and that they are accountable for the actions they are signing. By completing the electronic signature, the user is confirming that they have read and understood the policy.
Signature record linking    
11.70
Each electronic signature is linked to its associated electronic record to ensure that the signature cannot be excised, copied, transferred or in any way falsified by ordinary means. There must be no access to electronic signatures other than read only via the standard system functions.  Any other access to records containing signatures must be restricted.  Any legitimate access to such records (e.g. database administrator) must be restricted by a formal written procedure. The system ensures that complete record integrity, including signature components, is maintained and cannot be tampered with. Access is read-only for system users. Where Ideagen provides system hosting then administration procedures are in place and reviewed as part of our ISO 9001 certification. Where Ideagen does not provide system hosting then hosting administration is the responsibility of the customer.
Electronic signature issue    
11.100 (a) Each electronic signature is unique to one individual and shall not be reused by or reassigned to anyone else. Electronic signatures utilise the unique user ID and password combination. It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user IDs and password disclosure by users are not permitted.
11.100 (a) No shared/group accounts are defined as electronic signatures. It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user IDs and password disclosure by users are not permitted.
11.100 (b) The identity of individuals must be verified prior to the use of an electronic signature Users are required to resubmit their passwords for each signature.
11.100 (a)
11.100 (b)
11.100 (c)
An approved procedure which describes the administration of electronic signatures is available and includes:
- Issue of electronic signatures
- Withdrawal of electronic signatures
- Loss management procedures
The system automatically enforces the application and recording of electronic signatures. It is the responsibility of the customer to ensure that those users using electronic signatures in each instance have the competence and experience to do so.
 Non-biometric signature use    
11.200 (a)
(1)  
The electronic signature consists of two distinct identification components such as:
- User ID/Password combination
- Token (e.g. swipe card)/password combination
A user ID and password combination is utilised. E-signatures within Q-Pulse are legally equivalent to manual signatures and are fully attributable to individual system users. Each signature is accompanied by a date and time stamp and the reason for signature.
11.200 (a)
(1) (i)
The first signing in a single period of controlled system access must use both signature components. Each user login session requires both components. Each electronic signature during a login session requires password confirmation.
11.200 (a)
(1) (i)
Subsequent signings in the same session may use one component only.  This is an optional requirement but if used then the component must be the secure part i.e. the password. Each user login session requires both components. Each electronic signature during a login session requires password confirmation. The system automatically validates user identity.
2.5.1.5 The electronic signature must only be used by the genuine owner It is the responsibility of the customer to ensure that policies are enforced to ensure that shared user IDs and password disclosure by users are not permitted.
2.5.1.6 The password component of an electronic signature is not visible to any system user including the administrator. All passwords are stored in an encrypted format and are not visible to any users.

 

Learn more about managing your documentation in a controlled, compliant way with Q-Pulse Cloud.

alexander-pavlovic.jpg
Written by

Alexander Pavlovic

As Ideagen’s Marketing Executive, Alex produces targeted content to help Ideagen’s readers and customers navigate the complex world of quality, governance, risk and compliance.

Alex has worked with brands such as BT, Sodexo and Unilever and is passionate about helping businesses build a cohesive, collaborative culture of quality.

My Business Need

This will help us identify the best software product for you.

Tell Us More

Please share some further detail so we can refine your product recommendations.

Previous