ELECTRONIC SIGNATURES BY POORNA BASURI.P M.PHARMACY, I ST YEAR WHAT DOES IT MEAN?
21 Chapter of US Federal Law Food, Drug &
Cosmetics Act circa 1906, CFR - Code of Federal Regulation US Federal Government Law, Part 11 That part of 21 CFR that deals with electronic records & electronic signatures. WHAT IS PART 11
21 CFR Part 11 (Part 11) applies to electronic
records and electronic signatures that persons create, modify, maintain, archive, retrieve, or transmit under any records or signature requirement set forth in the Federal Food, Drug, and Cosmetic Act, the Public Health Service Act, or any FDA regulation. HISTORY In response to requests from the industry, the USFDA issued a regulation that provides criteria for acceptance of electronic records, electronic signatures and handwritten signatures by the FDA in 1997 . With this regulation, titled Rule 21 CFR Part 11, electronic records can be equivalent to paper records and handwritten signatures. Such a regulation was important because electronic data handling offers noteworthy benefits in the manufacturing area and also for the huge amount of data generated in analytical laboratories. The use of fully electronic data acquisition, evaluation, management and archiving promises major improvements in the workflow. IMPORTANCE The use of electronic records is expected to be more cost effective for the industry and the FDA. The approval process is expected to be shorter and access to documentation will be faster and more productive. In many situations using computers cannot be avoided, for example in analytical laboratories for automated data acquisition and evaluation. In this case the laboratories must comply with Part 11. There may come a time when the FDA will no longer accept paper records and; Electronic records have some significant advantages vs. paper records: tangibly lower space requirements and easier retrieval are just two of those advantages. The rule applies to all industry segments regulated by the FDA that includes Good Laboratory Practice (GLP), Good Clinical Practice (GCP) and current Good Manufacturing Practice (cGMP). REQUIREMENTS OF PART 11:
Use of validated existing and new computerized systems.
Secure retention of electronic records and instant retrieval. User-independent computer generated time-stamped audit trails. System and data security, data integrity and confidentiality through limited authorized access to systems and records. Use of secure electronic signatures for closed and open systems Use of digital signatures for open systems. Use of operational checks. Use of device checks. Determination that the persons who develop, maintain or use electronic systems have the education, training and experience to perform their assigned task TERMINOLOGY Electronic Records Electronic records are "any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system". Closed system A closed system is defined as an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Open system An open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. Practically all systems in analytical laboratories are closed systems. With an appropriate security system in place, the laboratory has full control on who will access the system. An open system in a laboratory would be one where the data is stored on a server that is under the control of a 3rd party. Other examples for open systems are websites where everyone has access. Electronic Signature An electronic signature is "a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature". Electronic signatures are the electronic equivalent to handwritten signatures on paper. They may be based on biometric identification methods like fingerprint scanners or facial and voice recognition, but a simple combination of a user I.D. and password is also sufficient. Within a company, the user I.D. must be unique to a specific person. Electronic signatures are sufficient for closed systems. Digital signature A digital signature is "an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified". Digital signatures are required for open systems and as such need higher security levels. Therefore, in addition to electronic signatures, cryptographic methods have to be applied for authentication of the user and integrity of the record. WHEN DOES IT APPLY ? The new narrow scope of the guidance states that Part 11 applies when: The record is required by a predicate rule, e.g., electronic batch records for 21 CFR Part 211 and electronic training records in 21 CFR Part 58. The electronic records are used to demonstrate compliance with a predicate rule, e.g., electronic training records for compliance with 21 CFR Part 211. (predicate rule=all other 21 CFR Part regulations) WHEN DOES IT APPLY ? When Electronic records are used instead of paper. When persons make printouts but still rely on the electronic records in the computerized system to perform regulated activities. Records submitted to the FDA, under predicate rules (even if such records are not specifically identified in agency regulations) in electronic format. Electronic signatures intended to be the equivalent of handwritten signatures, initials and other general signings required by predicate rule REQUIREMENTS OF THE RULE The most important requirements and some interpretations for implementation are: System Validation - 11.10(a) "Procedures should be in place for Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records". That condition applies to both new and existing systems. Validation should include application specific functions as well as functions related to Part 11, electronic audit trail and electronic signatures. Recommended test procedures include: Limited and authorized system access. This can be achieved by entering correct and incorrect password combinations and verifying if the system behaves as intended. Limited access to selected tasks and permissions. This can be achieved by trying to get access to tasks as permitted by the administrator and verifying if the system behaves as specified. Computer generated audit trail. Perform actions that should go into the e-audit trail according to specifications. Record the actions manually and compare and contrast the recordings with the computer generated audit trail. Accurate and complete copies. Calculate results from raw data using a defined set of evaluation parameters. Save raw data, final results and evaluation parameters on a storage device. Switch off the computer. Switch it on again and perform the same tasks as before using data stored on the storage device. Results should be the same as for the original evaluation. Binding signatures with records. Sign a data file electronically. Check the system design and verify that there is a clear link between the electronic signature and the data file. For example, the link should include the printed name or a clear reference to the person who signed, the date and time and the meaning of the signature. Accurate and Complete Copies - 11.10(b) and 11.10(c) (b) "Procedures should be in place to o generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records" Accurate and Ready Retrieval - 11.10(c) (c) "Records must be protected to enable their accurate and ready retrieval throughout the records retention period". The agency wants to be able to trace final results back to the raw data using the same tools as the user had when this data was generated. This is probably one of the most difficult requirements to implement. Limited Access - 11.10(d) "Procedures should be in place to limit system system access to authorized users". Limited access can be ensured through physical and/or logical security mechanisms. Most companies already have procedures in place. For logical security users typically log on to a system with a user I.D. and password. Physical security through key locks or pass cards in addition to logical security is recommended for high-risk areas, for example, for data centers with network severs and back-data. These procedures should be very well documented and validated. User-Independent Computer Generated Time-Stamped Audit Trails - 11.10(e) "Procedures should be available to use secure, computer-generated, time- stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying". The main purpose is to ensure and prove data integrity. If the data has been changed the computer should record what has been changed and who made the change. The audit trail functionality should be built into the software and is especially important for critical computer related processes with manual operator interaction. Operational System Checks - 11.10(f) "Procedures should be available to use operational system checks to enforce permitted sequencing of steps and events, as appropriate". Use of Authority Checks - 11.10(g) "Procedures should be available to use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand". Authority checks must be in place to ensure authenticity, integrity and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. This requires procedural and technical controls. Authority checks should be used when an individual attempts to: access a system. Perform selected permitted tasks. Change a record. Electronically sign a record. Use of Device Checks - 11.10(h) "Procedures should be available to use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction". This requirement refers to automatically determining the identification and location of a piece of equipment hardware or another computer system. An example would be that a computer system controlling an instrument should automatically recognize the equipment as a valid input device through its serial number. If the serial number is not set up in the computers database the instrument cannot be used as an input device. People Qualification - 11.10(i) "Procedures should be available to determine that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks". People qualification is a GxP requirement and not specific to Part 11. Procedures should be in place to document tasks and qualifications, to develop a gap analysis and to develop an implementation plan on the gaps that can be filled. Individual Accountability - 11.10(j) "Procedures should be available to establish, and adhere to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification". Procedures should make employees aware that electronic signatures have the same meaning as handwritten signatures. Controls Over System Documentation - 11.10(k) "Procedures should be in place for appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation". Use of Digital Signatures for Open Systems - 11.30 "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality". Requirements for Signed Electronic Records - 11.50 (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). Linking records to Signatures - 11.70 "Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means." General requirements for electronic signatures - 11.100 "(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature." Electronic signature components and controls - 11.200 "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Controls for identification codes/passwords - 11.300 Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner." GAMP 5 (GOOD AUTOMATED MANUFACTURING PRACTICE) INTRODUCTION Good Automated Manufacturing Practice (GAMP) is a technical subcommittee of the International Society for Pharmaceutical Engineering (ISPE), a set of guidelines for manufacturers and users of automated systems in the pharmaceutical industry. More specifically, the ISPE's guide Good Automated Manufacturing Practice (GAMP) guide for Validation of Automated Systems in Pharmaceutical Manufacture describes a set of principles and procedures that help ensure that pharmaceutical products have the required quality. One of the interior principles of GAMP is that quality cannot be tested into a batch of product but must be built into each stage of the manufacturing process. As a result, GAMP covers all aspects of production; from the raw materials, facility and equipment to the training and hygiene of staff. Standard operating procedures (SOPs) are essential for processes that can affect the PURPOSE OF GAMP
To help USERS understand the requirements for
prospective validation of an automated system and the level to which the validation should be performed To help SUPPLIERS ensure that systems are developed according to good practice, and to provide documentary evidence that their systems meet the agreed specification GAMP4 December 2001 Major revision and new content in line with regulatory and technological developments. Broadened scope to include regulated healthcare industries. Greater coverage of user responsibilities and detail on operational activities The new Good automated manufacturing practices (GAMP)-5 guidelines were released February 2008 at the ISPE(International Society for Pharmaceutical Engineering) Manufacturing Excellence Conference in Tampa, Florida. These guidelines are the latest, up-to- date thinking in the approach to validation of GxP computerized systems. The purpose of the guidelines is to provide a cost effective framework of good practice to ensure that computerized systems are fit for use and compliant with regulation. There are five key concepts to GAMP 5 1. Product and Process Understanding 2. Lifecycle approach within QMS 3. Scalable Lifecycle Activities 4. Science Based Quality Risk Management 5. Leveraging Supplier Involvement 1) Product and Process Understanding Understanding the product and process is critical in determining system requirements and for making science and risk-based decisions to ensure that the system is fit for use. In determining fit for use, attention should be focused on those aspects that are critical to patient safety, product quality, and data integrity. 2) Lifecycle Approach within a QMS Defining a lifecycle approach to a computerized system has been expanded from GAMP 4 to include all phases and activities from concept and implementation through operation and retirement. These activities should be defined within the quality management system (QMS). This allows for a consistent approach across all systems. There are four major phases defined for any system: 1. Concept 2. Project 3. Operation 4. Retirement 3) Scalable Lifecycle Activities Within the GAMP 5 guidelines GAMP outlines that lifecycle activities should be scaled according to: System impact on patient safety, product quality, and data integrity (Risk Assessment) System complexity and novelty Outcome of supplier assessment 4) Science Based Quality Risk Management Science Based Quality Risk Management allows companies to focus on critical aspects of the computerized system and develop controls to mitigate those risks. This is where a clear understanding of the product and process is critical to determine potential risks to patient safety, product quality, and data integrity. 5) Leveraging supplier involvement Documentation should be assessed for suitability, accuracy, and completeness. There should be flexibility regarding acceptable format, structure and documentation practices. OBJECTIVE
GAMP5 guidance aims to achieve computerized
systems that are fit for intended use and meet current regulatory requirements, by building upon existing industry good practice in an efficient and effective manner GAMP 5 SETS THE MAIN REQUIREMENTS FOR THE USE OF COMPUTERIZED SYSTEMS IN PHARMACEUTICAL APPLICATIONS: Patient safety, product quality and data integrity. Effective governance to achieve and maintain GxP compliance. Quality by design (QBD). Continuous improvement with in Quality management system (QMS). Critical quality attributes (CQA). Improving GxP compliance efficiency. Configurable systems and development models. Use of existing documentation and knowledge Effective supplier relationships. Scalable approach to GxP compliance Science based quality risk management system. Life cycle approach within QMS. SOME APPLICATIONS OF GAMP-5 1. Monitoring manufacturing, production and storage environments in the pharmaceutical industry. The conditions under which pharmaceutical products are manufactured and stored can have a major impact on their quality. Factors such as temperature, humidity, air quality, time and production process characteristics can all have a significant impact on the final quality of a product or batch of products. For the purposes of traceability, it is necessary to adhere to GAMP 5 guidelines to accurately record every stage in the production lifecycle of a product, encompassing not just the manufacturing process but also the storage and distribution stages. In doing so, manufacturers can prove to have acted in accordance with best practice by building in quality from the outset and designing failure out of the process. GAMP guidelines advise that the manufacture, storage and distribution stages of pharmaceutical products are monitored to ensure that any facilities involved meet the required standards. Of the various parameters that need to be carefully controlled, temperature and humidity are perhaps the two most critical 2. Monitoring the autoclaving process in the pharmaceutical industry. Provides independent verification and validation monitoring of the autoclaving process Sterilization permits the re-use of pharmaceutical equipment such as instruments, utensils, lab equipment and media preparation, and is necessary to eliminate transmissible agents such as spores, bacteria and viruses. It is possible to kill some microorganisms with chemicals, irradiation, and dry heat but the most effective and inexpensive method is with saturated steam. 3. Water purification in the pharmaceutical industry. Provides independent verification and validation of the water purification process. Water is a major commodity used by the pharmaceutical industry. Different grades of water quality are required according to the pharmaceutical process. The United States Pharmacopoeia (USP) and the European Pharmacopoeia (EP) are the governing bodies that issue guidelines for the manufacture of drugs to their respective markets. Amongst these guidelines are regulations, legally enforceable by the FDA and European equivalents (such as the MHRA), for the purification of different grades of water used in the pharmaceutical processes: Purified water is used in preparation of medicinal products other than those that require the use of water to be sterile. Highly purified water - intended for use in the preparation of products where water of high biological quality is needed, except where water for injection is required. Water for injection the purest grade of bulk water monographed by the USP and EP and is found in the manufacture of parenteral, ophthalmic and inhalation products. 4. Freeze drying in the pharmaceutical industry Provides independent verification and validation monitoring of the freeze drying process. Freeze drying is a technique used by pharmaceutical manufacturers to derive dry product from aqueous solutions. Originally developed during the 1940s, the technique produces a dry product which can be readily reconstituted to its original form by adding water when required. As such it is as an ideal way of prolonging the life of pharmaceutical products, particularly where this may involve long periods of storage and transit prior to use. CONCLUSION
While there are new revolutionary concepts in GAMP 5, it does
bring together the latest industry and regulatory thinking in GxP computerized system validation into one concise guidance. By using the basic concepts that the GAMP, FDA, PIC/S, and other groups have been touting, such as -Using a scientific risked based approach to validation and leveraging vendor documentation, regulated companies can reduce the time and cost necessary for validation and maintain their systems in a compliant state. REFERENCE P. Lalasa & Vishal Gupta et.al., A Review on applications of GAMP 5 in Pharmaceutical Industry, Jss university, July- September 2013, Vol. 5, Issue 3, ISSN 0975 9344. https://www.slideshare.net/PrashantTomar7/good-automated-manufacturing- practices https://globalhealthtrials.tghn.org/site_media/media/articles/QAData_21C FR_Part11.pdf https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?C FRPart=11&showFR=1&subpartNode=21:1.0.1.1.8.2 http://www.labcompliance.com/tutorial/part11/default.aspx?sm=d_c