This technical note details the requirements of 21 CFR Part 11 how the Mastersizer 2000 software meets these requirements.
This note examines the requirements of 21 CFR Rule 11, hereinafter referred to as "the Rule", and describes how the Mastersizer 2000 running software version 5.12 or higher meets these requirements.
If additional procedural steps are required to achieve compliance, these are highlighted with a document icon. The references in red type are those of the actual relevant clauses of the Rule and the passages in red italic script are extracts from the Rule.
Sec. 11.2 Implementation.
"(a) For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met."
If the electronic records produced by the application software are required for inspection by the FDA, such as a batch quality check, then the record may be kept in an electronic form if the requirements of the Rule are met.
The software can satisfy most of the requirements of the Rule. Those that cannot be satisfied by the application software can readily be supported by a written procedure.
"(b) For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that:
1. The requirements of this part are met; and
2. The document or parts of a document to be submitted have been identified in public docket No. 92S-0251 as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission."
If the records produced by the software are required by the FDA, as part of a new drug submission for example, then the data must be submitted in a format acceptable by the FDA.
The Mastersizer 2000 software can export data in an ASCII format that is acceptable to the FDA. It can also be set to save records as portable document files (*.pdf files) using Adobe Acrobat®. These files can be digitally signed and can form part of a submission.
Subpart B - Electronic Records
Sec. 11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
"(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."
The Mastersizer 2000 software has been numerically validated and a Right to View the Lifecycle Documentation is available to registered users under a non-disclosure agreement.
Full IQ/OQ documentation is available for the Mastersizer 2000 system, allowing the system to be validated to ensure consistent performance. This performance qualification is key to the development of a user's validation procedures.
In addition, all Malvern products are developed and maintained in an ISO 9001 approved quality environment. In August 2002, Malvern Instruments enhanced its accreditation to ISO 9001:2000. Malvern also successfully applied for ISO14001 accreditation in 2007.
The Mastersizer 2000 software does not support invalidating a measurement record. If a record is to be considered as invalid, a written procedure must be implemented to record the record as such.
The software records are stored in a binary format and alteration using a third party application would be difficult and can be considered unreasonable. If a record is edited from within the application, the original record is not obscured and a new one with the altered data is created.
"(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records."
In addition to normal printed output, the software can export data in ASCII form for inspection by the FDA.
"(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period."
The protection of the electronic records requires users to implement some form of backup procedure to copy the records onto a long-term storage medium such as magnetic tape or CD-ROM. The Mastersizer 2000 software does not provide a solution for this requirement because each user has different requirements as well as different peripherals. Some may choose to backup to a central data server using a network, others may prefer to backup at the instrument using a Tape Streamer or a CD-Writer. Since the software runs on Windows 2000/XP™ all of these options are available from third parties. Malvern Instruments can provide systems with archival devices fitted if required.
"(d) Limiting system access to authorized individuals."
The FDA does not specify the method for limiting system access to authorized individuals. The security applied depends on the sensitivity of the electronic record and the possible effect on public health of alteration of the record. The Mastersizer 2000 software has an integrated authority-checking system that can be further enhanced by using the security system of Windows 2000/XP™.
In all cases, a written procedure will be required to detail those authorized to access the system and how access restriction is implemented and maintained.
Users should note that this section also calls for the "use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit and, as appropriate to organizational management."
Reference to paragraphs 133 to 135 of the Preamble to the Rule will show that the FDA expects the required reporting to have the same urgency as a fire alarm so that a would be intruder can be apprehended at the computer terminal by security personnel.
To our knowledge, no supplier has succeeded in providing a solution that fully satisfies this requirement in the spirit intended. Until a suitable technological solution to this requirement is available, this must be satisfied by procedural means.
"(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
The Mastersizer 2000 software incorporates audit trail information in the measurement file. In this way, it can not be separated from the data. The audit trail is computer-generated and can not be altered.
The Mastersizer 2000 software contains an additional audit trail which logs all system operations. These audit trail files can be displayed within the application and can also be exported as comma delimited text files to other applications such as WordÔ for examination by the FDA or other interested parties. To help viewers, each log item in the file is prefixed by an icon to indicate whether the event is associated with:
|A security event:||
|The creation or modification of a record:||
|The creation or modification of an SOP:||
The audit trail log files can be set up to be automatically created on a daily, weekly, monthly, 3-monthly, 6-monthly or annual basis, to suit users' protocols and work rates.
Note that when correctly configured, the application software prevents record deletion and, once created, measurement data cannot be obscured. Where editing of a record is allowed, a new record is always created as part of the editing process, so that it is always possible to audit the changes that have been made.
"(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate."
The preamble to the final Rule explains that this requirement applies only when the sequence of operations will directly affect the manufacturing process. This part of the Rule is not applicable to the measurement process. It could be applicable when a measurement is made in the manufacturing process but this would be beyond the scope of this document and will already be covered by user's manufacturing quality SOPs.
"(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand."
In all cases, some form of documentary evidence of what constitutes authority is required. If logical access restrictions are used as authority checks, these must be detailed along with details of the management and maintenance of access restrictions.
Logical access restrictions are those resident within Windows 2000/XP™and within the Mastersizer 2000 application itself. When the 21 CFR Part 11 features of the software are enabled, the software has the same set of authority checks as the Windows 2000/XP™ operating system. The security key features included are:
- Ability for users to log in and out of the system without closing down the operating system. This is just one of the benefits of replicating the Windows NT security features in the Mastersizer 2000 application itself.
- Enabling a continuous use check to automatically log out a user after a predetermined period of mouse or keyboard inactivity. This does not interrupt any measurements that may be proceeding in the background.
- Enforcement of password ageing where, after a pre-determined period, users must change their passwords.
- Enforcement of a minimum password cycle where users must cycle through a predetermined number of different passwords before returning to a favorite. Up to 32 passwords can be insisted on. However, it is prudent to insist on a number that can conveniently be remembered by users without them having to resort to the use of Post-It notes or other visible reminders that would defeat the original purpose of the security measures being taken.
"(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction."
The most significant device check, when a measurement is made, is the physical connection to the instrument. For all other forms of data input, the source is not critical and there are no requirements for device checks.
"(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks"
The preamble to the Rule states that this regulation is aimed at the development of applications within the regulated company, not external vendors such as Malvern Instruments.
However, it is worth recording that Malvern Instruments is an ISO 9001: 2000 accredited company and complies fully with this requirement.
"(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification."
Companies must have a written policy that informs the instrument operators that electronic signatures carry the same legal obligations as their written signatures. This may be part of the company handbook or be a specific policy for the operators of the Mastersizer 2000 and its associated software.
"(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation"
Point 93 in the preamble to the Final Rule states that the documentation controls "...apply to systems documentation that can be changed by individuals within an organization. If systems documentation can be changed only by a vendor, this provision does not apply."
The system's documentation includes any manuals shipped with the product and any online help that the software provides. User companies must have a written policy that details the controls to be applied to these documents. These can be as general as a statement that those individuals authorized to use the Mastersizer 2000 have full access to the system's documentation, or as specific as restricting access to the systems' documentation to named individuals.
The software provides online help but does not support any method of restricting access to this help to named individuals. If this is required, the only available solution is to print out a paper copy of the help file and apply controls to the printed document. The original help file can then be removed from the system to prevent access. This action should not be required since no sensitive operations, such as 21 CFR Part 11 operations, are included in the online help.
Sec. 11.30 Controls for open systems.
"Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in Sec. 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality."
The 21 CFR Rule 11 requirements for operating in open environments require the use of Digital Signatures and encryption. The enabling technologies are still young and there is a high degree of uncertainty as to which mechanism will become the dominant standard. For this reason, no Malvern products currently support operating in an open environment.
If a report is printed in PDF format, the tools available with Adobe Acrobat® can be used to make the PDF file suitable for transmission in an open environment.
Sec. 11.50 Signature manifestations.
The Mastersizer 2000 software can be used with Adobe Acrobat® package to provide support for electronic signatures. Using the Acrobat® package to produce a PDF report of the measurement data allows users to make use of the advanced digital signature and security features provided by Adobe. If your organization has an integrated electronic signature solution, such as VeriSign™, this method is compatible with all the industry standard solutions. PDF is one of the preferred submission formats of the FDA and has numerous advantages over other electronic formats.
"(l) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
1) The printed name of the signer;
2) The date and time when the signature was executed; and
3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature."
When correctly configured, the Acrobat® digital signature solution makes provision for all of these requirements. Users' written policies should detail the Acrobat® configuration requirements specific to their environments.
"(m) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout)."
The digital signatures applied by Acrobat® are printed on the reports and held in the PDF file.
Sec. 11.70 Signature/record linking.
"Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means."
The digital signatures applied by Acrobat are printed on the reports and held in the PDF file. The Adobe Acrobat® PDF file is linked to the original electronic record by information automatically printed in the report by the Mastersizer 2000 software. The name of the output PDF file also references the source record.
Subpart C - Electronic Signatures
To provide the most flexible solution to the provision of electronic signatures, the application software uses the features of Adobe Acrobat®. This allows for a record keeping and approval process similar to user's current paper-based solutions, with the added convenience and power of an electronic format. Where user's current SOPs require a printed document and a manual signature, they may simply use a suitably configured Adobe PDF file and electronic signatures.
Sec. 11.100 General requirements.
If users elect to use electronic signatures rather than hand-written ones, their companies must have written policies concerning the use of electronic signatures to satisfy the following requirements:
(n) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(o) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(p) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature."
Sec. 11.200 Electronic signature components and controls.
The Mastersizer 2000 software uses Adobe Acrobat™ to provide electronic signatures. The requirements of this section apply only to the Acrobat product and should not be confused with the authority checks provided by the software.
The software has no integral facility for electronic signatures. If electronic signatures are to be used, we recommend the Adobe Acrobat™ package. This package provides all the facilities required by this section of the Rule.
"(q) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(r) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners."
The use of Biometrics in security systems is not common at this time.
Sec. 11.300 Controls for identification codes/passwords.
The Mastersizer 2000 software has no integral facility for electronic signatures. If electronic signatures are to be used, we recommend use of the Adobe Acrobat™ package. This package provides all the facilities required by this section of the Rule. The requirements of this section apply only to the Acrobat product and should not be confused with the authority checks provided by the software.
Persons who use electronic signatures based upon use of identification codes in combination with passwords must employ controls to ensure their security and integrity. Such controls shall include:
"(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password ageing).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
Appendix 1: Definitions (21 CFR 11.3)
"Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system."
If a computer system stores data to a "durable medium" it is creating an electronic record. Hard disks, floppy disks, CD-ROM, tape, flash memory, and zip drives are all forms of durable media. A good way to determine whether a record needs to comply is to turn off the power of the computer. If the record is still there when the power is next turned on, it probably needs to comply If the FDA audits your company, this data could fall under the remit of the Rule.
However, in the latest Guidance, published in August 2003, the FDA states that Part 11 will apply to:
"Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format.
On the other hand, records (and any associated signatures) that are not required to be retained under predicate rules, but that are nonetheless maintained in electronic format, are not part 11 records.
We recommend that you determine, based on the predicate rules, whether specific records are part 11 records.
We recommend that you document such decisions."
"Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system."
There are three mechanisms required to create a closed system.
Physical access to the computer and measurement system can be restricted to those responsible for the content of electronic records. If physical access is restricted to authorized key holders, the computer of the system can be considered to be a closed system. In practice this is difficult to achieve. Control of the keys is difficult to administer and it would be very difficult to prove conclusively in court that no other individuals had access.
Logical access to the application can be restricted by a compliant security system. This is a more satisfactory solution because it is more flexible and is simple to manage. Only those individuals responsible for the system are able to access the electronic records using the application used to generate them. The weakness of this mechanism is that the electronics records are, by definition, stored on a durable medium. If access to this medium is possible by means other than the application used to generate the records, such as a file editor, then no guarantee can be given that the records have not been altered. To resolve this problem, access to all durable media must be restricted by the Operating System.
Logical access to the operating system must also be restricted to those responsible for the content of the electronics records. The operating system security must comply with the requirements for a closed system.
All of the operating systems supported by the Mastersizer 2000 software can be configured to be closed systems.
"Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system."
Any system not running on a secure operating system (e.g. a system using Windows 95/98 or MS-DOS) is considered to be an open system. The FDA requirements for open systems are quite stringent and depend on Digital Signatures to verify that electronic records have not been altered. It is for this reason that most suppliers are currently recommending the use of a closed system.
"Hand-written signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark."
It is possible to scan a signature into a digital form so that it may be printed on reports. It could be argued that using a pre-scanned copy of a written signature does not constitute a hand-written signature, as the act of signing is not preserved for each successive application. A scanned image of a hand-written signature can be attached to an electronic signature but since the electronic signature regulations allow the plain text of an individual's name, this adds no value and is not normally required.
"Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature."
In all practical applications, an electronic signature is the combination of a user identifier and a password known only to that individual. With the right controls in place, this is very secure, but like all security systems, poor control can break the security. You may have a very good lock on your front door but if you leave the key under the doormat it is not secure. It is for this reason that the FDA stipulates very specifically the controls that must accompany Electronic Signatures for them to be acceptable as a means of identifying an individual.
Most of these controls are procedural and must be implemented by users. It is for this reason that it is not possible to say unconditionally that any software package will solve a user's 21 CFR Rule 11 compliance problems outright. Only in conjunction with compliant procedures will compliance be achieved and an FDA audit be passed.
"Digital signature means an electronic signature based upon cryptographic methods of originator authentication computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified."
This term is easily confused with Electronic Signature but the two are very different. The key difference is that Digital Signatures rely upon some form of cryptography to guarantee that the signed record has not altered since it was signed. The current solutions often rely upon a trusted third party to identify the signer.
An example of Digital Signatures in use is Windows Internet Explorer™. If you set the security settings to only accept code from a trusted source, you will see Digital Certificates from the web sites. The code that Explorer downloads will be Digitally Signed by the vendor. The signature is then sent to a trusted third party and checked. If the signature matches, the code is accepted and run.
"Biometrics are a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable."
At the time of writing the field of Biometric identification is immature and research into these systems is still in the early stages. Solutions tend to be expensive and impractical for all but the most secure environments.