BioPier Product 21 CFR Part 11 Compliance

BioPier, provider of the Clinical Workbench product suite, is committed to partnering with our customers in meeting our mutual goal of the design and production of products to the highest quality and reliability. Many of our customers in FDA-regulated industries, such as the design and manufacturing of pharmaceutical and medical device products, rely on Clinical Workbench as an integral software tool within their Research and Development and Quality Control processes. Clinical Workbench is used within organizations in applications where the FDA's 21 CFR Part 11 regulation is applicable. The Clinical Workbench software suite aids organizations in their compliance efforts by meeting all of the requirements of 21 CFR Part 11. BioPier, through its Technical Services group, provides software validation services as part of the deployment of Clinical Workbench applications.

Overview of the Regulation

In 1997, the FDA released the final version of the 21 CFR Part 11 regulations. The regulation provides the framework in which organizations are able to produce, store and provide secure access to electronic records. The scope of the regulation includes any area where paper-based records had been required. 21 CFR Part 11 is relevant when those paper-based procedures, signatures, and storage techniques are to be replaced with electronic recordkeeping via a computer-based system. The regulation includes rules regarding the copying, audit trails, version control, access control, and signatures of electronic documents being stored and produced for compliance purposes. As of the writing of this document, the FDA guideline is that 21 CFR Part 11 is not relevant where physical records are kept, including print-outs of computer-generated reports and documents that are then signed and archived. Compliance with 21 CFR Part 11 entails both procedural requirements and software requirements. The procedural requirements include validating the electronic records system, drafting and maintaining standard operating procedures for the use of the electronic records system, and ensuring that users of the electronic records system have adequate training about its appropriate use and administration.

Clinical Workbench is used for many applications where 21 CFR Part 11 is relevant. For example, Clinical Workbench is used by organizations:

For each of these applications, Clinical Workbench may be used for any combination of the following activities:

Depending upon the application, the data and results used for these purposes may be subject to the rules of the 21 CFR Part 11 regulation.

Clinical Workbench's Approaches for Compliance

Clinical Workbench is compliant with the software requirements of 21 CFR Part 11 through at least two approaches:

  1. Clinical Workbench: Clinical Workbench provides an integrated system for the storage, approval and archiving of data, results, reports, SOPs and any other document related to the Clinical Workbench application. The Clinical Workbench satisfies all of the 21 CFR Part 11 requirements.
  2. Third Party Systems: Where an organization already has a clinical data collection/storage system, Clinical Workbench integrates with that system to communicate to its repository for the storage and retrieval of documents. In addition, BioPier Technical Services provides validation packages to assist our clients in the validation requirements of Compliance.

The Compliance of Clinical Workbench to 21 CFR Part 11

This section provides details of how the Clinical Workbench complies with the relevant sections of 21 CFR Part 11. Excerpts from the regulation are provided in quotes and bold text.

"11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."

BioPier provides validation services as part of its installation and qualification of the Clinical Workbench-based application.

"11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency."

Records include Clinical Workbench Documents such as Spreadsheets and Graphs, as well as image files, MS Word or Excel documents, PDF, text files, etc. Clinical Workbenchdocuments stored in the system can be can be accessed and viewed/printed from within the Clinical Workbench environment. Using the client application, all document types can be copied to the local machine and viewed/printed in their nativeapplications.

"11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. All records and their metadata, to include historical versions, can be readily retrieved."

The Clinical Workbench stores all versions of all files without automatically deleting or removing previous versions.

"11.10(d) Limiting system access to authorized individuals."

The system has multiple levels of security. Each user is assigned an account with a unique username and password, both of which are required to log on to the system. The user's identity and role are combined with the access control system attributes of one or more documents to determine whether access to a procedure on a document should be permitted or denied.

"11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall beretained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."

Each action performed in the system including modifying, creating, and deleting documents are written automatically to audit trail tables in the system's database.

"11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand."

The Clinical Workbench uses a combination of a username and password to authorize an electronic signature.

"11.10(k) Use of appropriate controls over systems documentation including:
  1. Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
  2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. "

The Clinical Workbench documentation is updated and distributed with each version of the software. Each set of documentation, including, User manuals and Administrator manuals, are uniquely identifiable as applying to its specific version.

"11.50(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
  1. The printed name of the signer;
  2. The date and time when the signature was executed; and
  3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature. "

An electronic signature is executed by the user through the user interface of the application, whereupon the user is required to enter her username and password. The electronic signature is stored in the database along with the name of the unique identifier of the document, the signer's full name, the date and time the signature was executed, and the meaning of the signature. When viewing or printing the record from within the system, a signature page is displayed / printed which will include all required items.

"11.70 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means."

An electronic signature is stored within the system in a relational database that maintains a link between the record and the signature. From within the system it is impossible to remove, modify, or transfer an existing electronic signature. An electronic signature is linked to a specific version of a specific document. A handwritten signature applied to a paper document which is then transferred to an electronic format and placed in the system is under the same controls as any other document in the system including tracking of modifications and audit trail, and therefore the signature cannot be excised, copied, or transferred using ordinary means.

"11.100(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else."

Each username/password combination is unique. User accounts can be disabled by an administrator but cannot be removed from the system, thus the system enforces that the signature cannot be reused or reassigned.

"11.200 (a) Electronic signatures that are not based upon biometrics shall:
  1. Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
  2. Be used only by their genuine owners; and
  3. Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

"11.200(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners."

The Clinical Workbench does not use biometric authentication techniques. Instead, a user of the system enters her username and password combination to authorize a signature.

"11.300 Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: 11.300(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. "

The Clinical Workbench enforces the requirement that the each combination user id / password is unique.

"11.300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)."

The Clinical Workbench allows for passwords to expire after a set period of time. Conclusions Clinical Workbench provides integrated solutions for compliance to 21 CFR Part 11 requirements.

For more information about the details of an approach for your application, contact BioPier.