PTC s Windchill Product Lifecycle Management (PLM) System Facilitates Part 11 / Annex 11 Compliance

Transcription

1 PTC s Product Lifecycle Management (PLM) ystem Facilitates Part 11 / Annex 11 Compliance A White Paper by: Diane Gleinser, r. VP olutions and ervices, UDM Life ciences Michael Prudhomme, olution Director, PTC April A White Paper Published by UDM Life ciences 1

2 Copyright 2017 UDM Life ciences All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owners. implify, Unify and Optimize and UDM are trademarks of UDM in the United tates and other countries. All other trademarks are the property of their respective owners. All other brand, company, and product names are used for identification purposes only and may be trademarks that are the sole property of their respective owners. Document Title: PTC s Product Lifecycle Management (PLM) ystem Facilitates Part 11 Compliance Published by UDM Life ciences, February, Any comments relating to the material contained in this document may be submitted to: UDM Life ciences, LLC 535 Chapala treet anta Barbara, CA or by to: usdm@usdm.com A White Paper Published by UDM Life ciences 2

3 Introduction PTC s PLM system is used by many life science companies as a central repository for electronic records of product-related data. Many of the records stored in PLM are required and regulated by the U.. FDA under 21 CFR Part 11 (Part 11) in the United tates, and Eudralex Vol. 4 Annex 11 (Annex 11) in Europe and surrounding countries. Part 11, published in 1997, establishes technical and procedural requirements that must be met by a regulated user if they choose to maintain regulated records electronically. The regulation applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations. In June of 2011, the European Commission Health and Consumers Directorate-General issued updated regulations for computerized systems compliance. Companies needing to comply with EudraLex rules in the European Union were required to adhere to Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerized ystems. This Whitepaper describes how helps regulated customers meet both the Part 11 regulation and Annex 11. It should be noted that, while tools and technical solutions for complying with the regulation, the regulated user must also provide controlled processes and procedures to fully comply. A White Paper Published by UDM Life ciences 3

4 21 CFR Part 11 Compliance Matrix The table below traces the U.. FDA Part 11 regulation requirements to the tools provided by for meeting them. Areas where the regulated customer must provide additional information for compliance are shown. The customer supplies processes and procedures to meet the regulation. - the tools to meet this regulation. supports compliance with the regulation; the customer supplies processes and procedures to fully meet the regulation (a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. It is important to note the content in this section of the regulation. 21 CFR Part 11 does not apply to ALL electronic records; it applies to electronic records that "are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency A White Paper Published by UDM Life ciences 4

5 11.1 (b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health ervice Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means. regulations." It..."also applies to electronic records submitted to the agency... even if such records are not specifically identified in agency regulations." 11.1 (c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, Electronic signatures are not required under Part 11 in order to be compliant with the regulation; however, should the regulated Company implementing wish to use electronic signatures, they must comply with this regulation (d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with 11.2, unless paper records are specifically required. A White Paper Published by UDM Life ciences 5

6 11.1 (e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part shall be readily available for, and subject to, FDA inspection. The regulated customer is required to provide this information to an FDA inspector if requested. UDM recommends vendor audits of PTC be conducted periodically to assist the customer in maintaining compliance (f) This part does not apply to records required to be established or maintained by through of this chapter. Records that satisfy the requirements of part 1, subpart J of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part (g) This part does not apply to electronic signatures obtained under (d) of this chapter (h) [Reserved] This part does not apply to records required to be established or maintained by part 117 of this chapter. Records that satisfy the requirements of 11.1 (i) part 117 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part. A White Paper Published by UDM Life ciences 6

7 11.1 (j) This part does not apply to records required to be established or maintained by part 507 of this chapter. Records that satisfy the requirements of part 507 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part (k) This part does not apply to records required to be established or maintained by part 112 of this chapter. Records that satisfy the requirements of part 112 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part (l) This part does not apply to records required to be established or maintained by subpart L of part 1 of this chapter. Records that satisfy the requirements of subpart L of part 1 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part. A White Paper Published by UDM Life ciences 7

8 11.1 (m) This part does not apply to records required to be established or maintained by subpart M of part 1 of this chapter. Records that satisfy the requirements of subpart M of part 1 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part (n) This part does not apply to records required to be established or maintained by subpart O of part 1 of this chapter. Records that satisfy the requirements of subpart O of part 1 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part (o) This part does not apply to records required to be established or maintained by part 121 of this chapter. Records that satisfy the requirements of part 121 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part. A White Paper Published by UDM Life ciences 8

9 11.2 (a) 11.2 (b) For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met. For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that: 11.2 (b)(1) The requirements of this part are met; and The document or parts of a document to be submitted have been identified in public docket No as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for 11.2 (b)(2) submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if ee definition of Electronic Record and 11.1(a) and (b) above. Examples of records that are required to be maintained but are not typically submitted to the agency tandard Operating Procedures Test Methods Complaints Investigations Periodic Reviews More records are now being required to be submitted electronically. Those records submitted electronically must comply with 21 CFR Part 11. ome records required to be submitted to the agency are: BLA submissions New drug applications Drug Master Files, Investigational Device Exemptions A White Paper Published by UDM Life ciences 9

10 11.3 (a) 11.3 (b) they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission. The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part. The following definitions of terms also apply to this part: 11.3 (b)(1) 11.3 (b)(2) 11.3 (b)(3) Act means the Federal Food, Drug, and Cosmetic Act (secs (21 U..C )). Agency means the Food and Drug Administration. Biometrics means a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable. This definitions section is provided to give context for the sections of Part 11 listed below. A White Paper Published by UDM Life ciences 10

11 11.3 (b)(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system (b)(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified (b)(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system (b)(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. A White Paper Published by UDM Life ciences 11

12 11.3 (b)(8) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark (b)(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. A White Paper Published by UDM Life ciences 12

13 11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. "Persons who use systems shall employee procedures and controls ". oftware vendors can provide the tools to meet the regulations, can provide some of the validation to meet the records, but each customer using the system must identify how the intend to use the system and validate to their intended use. In addition, the end-using customer is responsible for putting in place controls to ensure that the system maintains its validated state. PTC a Validation Accelerator Pak for customers as a tool to simplify the validation process and minimize the time it takes to validate the system for intended use (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. reporting tools that simplify the generation of accurate and complete copies of records in the system. A White Paper Published by UDM Life ciences 13

14 11.10 (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. The customer must determine the record retention requirements for the records generated in. Records are not deleted from the system. Customers can determine what records to archive and the retention period for those records. generates records and logs that are suitable for inspection, review or copying (d) Limiting system access to authorized individuals. supports this via security and administration capabilities. ystem access is controlled through use of unique User IDs and User generated passwords. Access is further controlled through role-based permissions defined by the Customer's business needs. Customers must determine roles and privileges for their users and administrators and put in place procedures and practices to manage security. A White Paper Published by UDM Life ciences 14

15 11.10 (e) (f) 11.10(g) Use of secure, computer-generated, timestamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. uch audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. maintains a secure, computergenerated audit trail of all system transactions, including those performed by the system administrator. The audit trail includes time stamps of user entries and modifications. Version control and checkout/check-in locks are used to ensure control over documents. Workflows can be built within to enforce business rules and the order of events. Forms can be configured to have required fields and dependent required fields. upported through LDAP 11.10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. A White Paper Published by UDM Life ciences 15

16 11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Customers using must define OPs and practices to manage this. PTC supports this by ensuring that developers have the education, training and experience to perform their assigned tasks (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Customers using must define OPs and practices to manage this (k)(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Customers using must define OPs and practices to manage this (k)(2) Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation. PTC creates an audit trail. customers must define procedures that address this requirement. A White Paper Published by UDM Life ciences 16

17 (a) Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. uch procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality igned electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. supports encryption and authentication with the use of Hypertext Transfer Protocol ecure (HTTP) and ecure ockets Layer L connections. Customers are responsible to put in place processes and procedures to manage this requirement. Access to PTC can only occur through an encrypted connection from the public Internet by using the IP address of the router. When approving a document electronically, signatories provide their printed name, date and time when approved, and the approver s role. The meaning of the signature can be defined by system roles and further supplemented by the use of comments based on system configuration. A White Paper Published by UDM Life ciences 17

18 11.50(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout) Quality records that are defined by the customer are audit trailed. Displayed electronic records that contain electronic signatures display those signatures. For printed documents, the system must be configured for the electronic signatures to appear on the printed page Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Electronic signatures are secured and linked with file name linking available as a readable document to ensure compliance. Each file has a unique identifier and a complete approval history can be produced (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. support for authenticating username/password authentication. does not allow duplicate user identifications and ID/password combinations for system access or document approval. A White Paper Published by UDM Life ciences 18

19 11.100(b) (c)(1) (c)(2) (a) (a)(1) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. by default uses Identification Code and Password. Each signing requires use of both components. A White Paper Published by UDM Life ciences 19

20 11.200(a)(1)(i) (a)(1)(ii) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components (a)(2) Be used only by their genuine owners; (a)(3) (b) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. by default uses Identification Code and Password. Each signing requires use of both components. by default uses Identification Code and Password. Each signing requires use of both components. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. When customers elect to use electronic signatures, they are responsible to define policies and procedures for ensuring that the regulations regarding e-signatures are met. supports use of 3rd party biometrics applications and facilitates the application through its user authentication process. A White Paper Published by UDM Life ciences 20

21 (a) (b) (c) Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. uch controls shall include: Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. does not allow duplication of user ID. enforces password policies set by the customer. Customers are responsible to define policies and procedures for periodically checking, recalling and revising passwords. Customers are responsible to define policies and procedures for loss management procedures. supports this by allowing a system administrator to disable user accounts or compromised tokens cards or other devices and changing passwords as needed. A White Paper Published by UDM Life ciences 21

22 11.300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. This can be configured (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Customers are responsible to define policies and procedures for loss management procedures. A White Paper Published by UDM Life ciences 22

23 Annex 11 Compliance Matrix The table below traces the Annex 11 regulatory requirements to the tools provided by for meeting them. Areas where the regulated customer must provide additional information for compliance are shown. Principle This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process. PTC a Validation Accelerator Pack for customers as a tool to simplify the validation process and minimize the time it takes to validate the system for intended use. The system processes should be appropriately tracked and trended by the customer to provide assurance that no decrease in product quality, process control or quality assurance occurs. Processes should be designed with quality built in. A White Paper Published by UDM Life ciences 23

24 General uppliers and ervice Providers 3.1 Risk Management: Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. Personnel: There should be close cooperation between all relevant personnel such as Process Owner, ystem Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of As part of the Validation Accelerator Pack, a system risk assessment is provided. The customer must still review the risk assessment and update it based on their level of risk tolerance and associated risk management practices. Customers must also apply risk management principles to the lifecycle of the system in accordance with their own processes and procedures. Customers are responsible to ensure all personnel cooperate and have appropriate qualifications, access levels and defined responsibilities to conduct their assigned job duties. It is the customer s responsibility to ensure data facilities, host sites, third part validation providers, etc. provide adequate formal agreements. PTC these agreements and contracts for the services it. A White Paper Published by UDM Life ciences 24

25 the responsibilities of the third party. ITdepartments should be considered analogous The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment. Documentation supplied with commercial offthe-shelf products should be reviewed by regulated users to check that user requirements are fulfilled. Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request. PTC should be a part of your vendor management process. As part of the Validation Accelerator Pack offered by PTC, UDM Life ciences a vendor audit that is reviewed and updated annually. Each customer should review the audit report provided and conduct risk-based audits if needed to supplement this provided audit report. PTC a Validation Accelerator Pack that fulfills a substantial part of the validation documentation required. The end using customer must modify that documentation for intended use. PTC Customers are responsible to provide information requested by inspectors. Project Phase 4. Validation 4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, PTC a Validation Accelerator Pack that fulfills a substantial part of the validation documentation required. The end using customer must modify that A White Paper Published by UDM Life ciences 25

26 procedures and records based on their risk assessment. documentation for intended use of the system. 4.2 Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. An up to date listing of all relevant systems and their GMP functionality (inventory) should be available. The validation subcontractor or the customer information and reporting on deviations occurring during the validation process. The customer must have a change management system in place to document changes that occur during the validation process and during the operational phase of the system For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available User s pecifications should describe the required functions of the computerised system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle. This ystem Inventory list and maintenance of this list is the responsibility of each customer to provide and maintain. Common user requirements as well as core functionality typically used by life science companies are called out in the ystem s pecification in the Validation Accelerator Pack (VAP). Risk is assessed at a functional level in the Risk A White Paper Published by UDM Life ciences 26

27 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy. Assessment in the VAP. These documents must be reviewed and updated by the customer to ensure that their intended use is defined and verified. A vendor audit report, executed by experienced UDM Life cience auditors, is included in the VAP. The regulated user is responsible to ensure that the topics covered in the audit report meet the customer s vendor management requirements and to update the audit if necessary. The regulated user is responsible to put processes and procedures in place to ensure assessment and reporting of quality and performance measures for all the lifecycle stages of the system. PTC s VAP includes a vendor assessment/audit report to assist in this process. The regulated user is responsible to put processes and procedures in place to ensure assessment and reporting of quality and performance measures for all the lifecycle stages of the system. A White Paper Published by UDM Life ciences 27

28 Operational Phase Data: Computerised systems exchanging data electronically with other systems should include 5. appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. Accuracy Checks: For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic 6. means. The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management. upported through LDAP allows for recording a secondary operator check via system configuration. A White Paper Published by UDM Life ciences 28

29 7. Data torage 7.1 Data should be secured by both physical and electronic means against damage. tored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. The regulated user must ensure physical security of data and any backups of that data through policies and procedures or through ervice Level and Quality Agreements with data storage providers. The procedures and/or agreements should define the physical and electronic security measures taken and how they are verified. The customer must determine the record retention requirements for the records generated in. Records are not deleted from the system. Customers can determine what records to archive and the retention period for those records. generates records and logs that are suitable for inspection, review or copying. A White Paper Published by UDM Life ciences 29

30 Printouts Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. It should be possible to obtain clear printed copies of electronically stored data For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. The Validation Accelerator Pack includes a backup/restore test script that verifies that a file or multiple files are accurately backed up and that the data in those files can be restored accurately. The regulated user should have a data backup and restore procedure in place that specifies how often the backups are reviewed and how they are monitored as well as how often a test of data restoration occurs. reporting tools that simplify the generation of accurate and complete copies of records in the system. maintains a secure, computergenerated audit trail of all system transactions, including those performed by the system administrator. The audit trail includes time stamps of user entries and modifications. Version control and checkout/check-in locks are used to ensure control over documents. A White Paper Published by UDM Life ciences 30

31 Audit Trails: Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMPrelevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed Change and Configuration Management: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. Periodic evaluation: Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. uch evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports. maintains a secure, computergenerated audit trail of all system transactions, including those performed by the system administrator. The audit trail includes time stamps of user entries and modifications, the reason / type of change before and after values. Version control and checkout/check-in locks are used to ensure control over documents. customers must define procedures that address this requirement. customers must define procedures that address this requirement. A White Paper Published by UDM Life ciences 31

32 12. ecurity Physical and/or logical controls should be in place to restrict access to computerised systems to authorised persons. uitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas. The extent of security controls depends on the criticality of the computerised system. Creation, change, and cancellation of access authorisations should be recorded. Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. customers must define procedures that address this requirement. customers must define procedures that address this requirement. customers must define procedures that address this requirement. supports tracking of the creation, change and cancellation of access authorizations in its audit trail. maintains a secure, computergenerated audit trail of all system transactions, including those performed by the system administrator. The audit trail includes time stamps of user entries and modifications. Version control and checkout/check-in locks are used to ensure control over documents A White Paper Published by UDM Life ciences 32

33 a. Incident Management: All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. Electronic records may be signed electronically. Electronic signatures are expected to: have the same impact as hand-written signatures within the boundaries of the company 14.b. be permanently linked to their respective record 14.c. include the time and date that they were applied. customers must define procedures that address this requirement. has the functionality to apply electronic signatures that meet the regulatory requirements. customers must define procedures that address this requirement. Displayed electronic records that contain electronic signatures display those signatures. For printed documents, the system must be configured for the electronic signatures to appear on the printed page. When approving a document electronically, signatories provide their printed name, date and time when approved, and the approver s role. A White Paper Published by UDM Life ciences 33

34 Batch release: When a computerised system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature Business Continuity: For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. Archiving: Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. can be configured through LDAP to use authority checks to ensure that only authorized individuals can electronically sign a record. When approving a document electronically, signatories provide their printed name, date and time when approved, and the approver s role. The reason for signature can be added via a comment box. customers must define procedures that address this requirement. customers must define procedures that address this requirement. A White Paper Published by UDM Life ciences 34

35 ummary In summary, our regulated client base with the necessary technical solutions and tools to comply with the Part 11 and Annex 11 regulations. Our VAP extends that assistance by providing a modifiable set of validation tools. PTC stands with our customers to ensure that they have the necessary information required in the complex and heavily regulated life science industries. A White Paper Published by UDM Life ciences 35