Managing Compliance with 21 CFR Part 11 - Tangerine Software

Managing Compliance with 21 CFR Part 11by Tom Heinricher, Sage ERP X3 Senior Business ConsultantTitle 21, Part 11 of the U.S. Food and Drug Administration’s (FDA) Code ofFederal Regulations requires drug makers, medical device manufacturers,biotech companies, biologics developers and other FDA-regulated industries(except food manufacturers) to implement controls – including audits,validation systems and documentation – for software and systems involved inprocessing many forms of data as part of business operations and productdevelopment.The regulation was created to maintain the trustworthiness, reliability andintegrity of electronic records and to ensure that the authenticity ofelectronic records would be equivalent to paper records when submitted. Allcompanies and industries that submit or utilize electronic records and/orsignatures regulated by the FDA must comply with this federal regulation.But complying with the regulation proves to be a difficult task for mostcompanies. Since Part 11 was introduced in 1997, manufacturers haveendured much confusion as the regulation is open to a wide range ofinterpretations. In 2003, the FDA withdrew previous guidance and issued anew document on the “scope and application” of Part 11 which intended toclarify how it should be implemented and would be enforced, but this tooremains a subject of debate. In the near future, the FDA will issue revisedguidance for 21 CFR Part 11 which promises to offer a lessprescriptive, more risk-oriented approach to electronic recordkeeping.Despite the confusion surrounding Part 11, one thing remainsconstant. The FDA’s interpretation of the followingrequirements has not changed:Controls for closed systems,Controls for open systems, andElectronic signatures.With that in mind, compliance with regulatory requirements isa business-critical need that must be maintained, and the FDArecognizes that a technically advanced software solution canhelp companies manage compliance. Specifically, CFR 21Part 11 states that enterprise resource planning (ERP)systems must provide:Extensive transaction audit functionalitywith field, user, time and date reference,Document signature printing associationfor technical or quality assurancegenerated reports,Digital signature to support field and/orscreen level security authentication withchange reason codes and accessverification and historical user, time anddate references.(continued)Compliance withregulatoryrequirements is abusiness-criticalneed that must bemaintained, and theFDA recognizes that atechnically advancedsoftware solution canhelp companiesmanage compliance.

Further requirements are associated with the conceptof “validation” – for both the manufacturer (the effortdeployed by manufacturers to document and mapspecific company processes to associated softwarefunctionality) and the software developer (the processor methodology that developers use to test softwarefunctionality). Guidelines require that the company’sneeds and intended uses of its selected softwaresystem are established and that evidence that thecomputer system implements those needs correctly aretraceable to the system design and specification.To help companies adhere to 21 CFR Part 11, SageERP X3 offers the following functionality:Audit TrailsAssociated with the creation, modificationand deletion of electronic records, audit trailsare now standard in Sage ERP X3. Thefunctionality records user name, date, time,previous data, new data and the reason forthe change.Digital Electronic SignaturesAn electronic signature framework includestables, programs, actions and objects tostore, configure and collect uniquee-signatures, which are permanently linked tothe object and can not be modified or copied.For detailed information about how Sage ERP X3 helpscompanies comply with each requirement of Part 11,please see Table 1.While it may seem that complying with Part 11 is aburdonsome, costly undertaking, adhering to theregulations yields several benefits, including:Reductions in system vulnerability andabuse,Lower compliance-driven costs,Shorter validation time,Reductions in entry errors,Lower costs related to record retention,Improved data integration and modelingcapabilities,Advanced search capability via a decisionsupport system and data warehouse, andIncreased speed of information exchange.Sage ERP X3 can help your company enjoy theinherent rewards of becoming 21 CFR Part 11compliant. Contact us for a free assessment of yourcompany’s needs.Document SignaturesDocuments requiring handwritten signatures,such as Certificates of Analysis or TechnicalSheets, are generated with an image linked tothe specific document. The image plate iscontrolled and linked to the user profile.Validation ScriptsDocumentation describing various processcontrols deployed by Sage is available. Thesescripts are flexible in design, associatedwith clearly identified and documentedprocedures. They are easily transferred orincorporated into custom validation andcGMP documents to support companyinitiatives.Security FeaturesSeveral security standards safeguard againstunauthorized use, including automatic logoffafter a period of inactivity, auto logout aftertoo many failed logon attempts and logging ofall user activity.2

Managing Compliance with 21 CFR Part 11Table 1Part 11 Clause11.10(a)11.10(b)11.10(c)11.10(d)11.10(e)11.10(f)11.10(g)11.10(h)11.10(i)11.10(j)11.10(k)11.30Sage ERP X3 CapabilitySage ERP X3 manages audit trails for all electronic records, which are secured fromunauthorized access.All electronic records generated by Sage ERP X3 are accurate, complete andpresented in human readable format, and they can be printed or exported intoindustry standard formats like Adobe PDF and XML.All electronic records can be maintained in the active database or archived toaccommodate all required retention periods, even after software upgrades. Accessis secured and the system maintains the link between electronic signatures andelectronic records even after archiving.Advanced security features ensure that only authorized individuals access thesystem, and changes to security profiles are logged.Electronic records for creating, modifying or deleting data are automaticallygenerated. Records are time and date stamped with the user ID of the person whowas logged on to the system. The records maintain the old and new values of thechange and the transaction used to generate the record. All electronic records aremaintained in the active database for required retention periods, as is the link withthe electronic signature.Process instruction sheets used in the manufacturing process include operationalchecks to enforce permitted sequencing of steps and events.Authority checks, along with advanced security features, ensure that only authorizedindividuals can use the system, electronically sign a record, access the operation orcomputer system input or output device, alter a record or perform the operation athand.Terminals, measurement devices, process control systems and other input devicesare maintained by the system’s advanced security features and require authorizationfor connection.Sage requires that all personnel responsible for developing and maintainingSage ERP X3 have the education, training and experience to perform their assignedtasks. Sage offers a wide range of training classes to ensure a process ofcontinual learning.This clause refers to procedures required of the manufacturer and is not related toSage ERP X3.Sage ERP X3 provides a complete electronic library containing extensive field,functional and system related documentation. Consistent updates to documentationis provided to current customers and deployed in a controlled electronic format.For open systems, Sage ERP X3 supports interfaces with complimentary softwarepartners that supply ADAPI methods with public key infrastructure (PKI) technology.3