Memo of Meeting Date: June 14, 2001 Location: 1350 Piccard Drive Rockville, MD
by user
Comments
Transcript
Memo of Meeting Date: June 14, 2001 Location: 1350 Piccard Drive Rockville, MD
Memo of Meeting Date: June 14, 2001 Location: 1350 Piccard Drive Rockville, MD Subject: ProPackData Electronic Recordkeeping System Representing ProPackData Corporation, Cary North Carolina: Mr. Hermann Schaefer, Director Customer Services, Mr. Christian Fortunel, President Dr. Gerhard Werling, Director, Quality Management & Validation Services Representing the Food and Drug Administration, Dr. Charles Snipes, Compliance Officer, Center For Drug Evaluation and Research Mr. Paul J. Motise, Consumer Safety Officer, Office of Enforcement Mr. Scott MacIntire, Director, Division of Compliance Information and Quality Assurance, Office of Enforcement Dr. James McCormack, Consumer Safety Officer, Office of Enforcement Mr. Tom Chin, Consumer Safety Officer, Office of Enforcement Mr. Thomas Santucci, Computer Specialist, Office of Enforcement The meeting was requested by Propack Data to discuss the firm’s electronic recordkeeping software in the context of 21 CFR Part 11. At the start of the meeting we explained that FDA does not formally review, approve or disapprove of products and services that enable people to meet FDA regulations, and that our comments should not be taken as FDA review, approval or disapproval of the Propack Data products. The firm’s representatives explained that their software, the PMX system, has part 11 functionality and they wanted our input as to their interpretation of the regulations. The representatives gave us a brief presentation, following the attached PowerPoint slides. Acrobat Document The representatives explained that ProPack Data is based in Germany, with branches in the U.S., France, Italy, and the U.K. About 85% of the firm’s customers are pharmaceutical producers, many based in the U.S.; the firm also has customers in the food and biotechnology industries. The firm’s core product, PMX integrates activities in product research, production, and quality control. The representatives gave us a broad overview of the product architecture, key modules, and how it interacts with other applications such as Oracle and SAP. PMX operates on Windows NT, Unix and Oracle platforms. During the meeting we discussed the firm’s approach to software validation. The representatives explained their two step approach that includes pre-validation of a standard package and validation of the customer’s system. Program modules are included in the customer’s system per the customer’s requirements; functionality is mapped to program modules, dependencies among modules are taken into consideration, and test plans are developed. Validation documentation and customer test scripts are developed, including interfaces to customers’ other systems. Design qualification documentation is held under third party escrow, although documentation of installation, operation and performance qualification is provided. The firm accepts customer audits and participates in the PDA software vendor qualification program (Technical Report 32.) We reviewed several part 11 technical requirements and how the firm intended to have its software meet them. These include authority checks, audit trails, sequencing checks, archiving, electronic copies of electronic records, electronic signature manifestation, electronic signature components and controls for identification codes used together with passwords. With respect to electronic copies of electronic records, the system generates Adobe PDF files. We commented that to be suitable for our use electronic copies need to be in a format that permits us to process (e.g., search and sort) information. Thus, a PDF file of a table or spreadsheet would not meet this need, although a word searchable text file may meet this requirement. Electronic records are archived in electronic form; PDF is used for long term storage. We commented that, here too, archived records need to be in a form that permits content to be processed and electronic signatures to be verified. The representatives commented that to their knowledge none of their customers 2 has, in fact, exercised the software option that compresses the archive to an unprocessable form. Regarding access restrictions, the representatives explained that the software provides for configurable access according to user profiles. Concerning password security, the system requires a password length of at least six characters, at least one of which must be a number or a special character. The program also allows system managers to restrict password reuse and configure password expiration periods. In addition, the program is structured such that system administrators do not know user passwords. System lockouts during periods of end user inactivity can be configured and failed log in attempts are recorded. However, the system does not report in an urgent manner, attempts at system compromise; instead, security personnel must review a log to determine potential threats. If logs are not reviewed frequently enough, a security breech could go undetected for a period of time. The representatives explained that in future revisions of the program they will include a feature to send an e-mail message to designated security personnel when such events occur. Regarding audit trails, the program provides for time stamped automatic recording of operator actions that create, delete or modify an electronic record. Altered information is preserved in separate fields. The audit trail identifies operators by their log in names. A field provides for recording the reason for a change. We commented that part 11 does not require the audit trail to record the reason why a record was changed, although a predicate regulation may require recording that information in the trailed record itself. The representatives explained that prior to software delivery, end users may specify that the audit trail be deactivated for certain fields; de-activation would be “hard coded” and thus end users could not reactivate the audit trail. We objected to this practice, and explained that it would be too easy for a customer to inadvertently turn off audit trailing for a field that, per FDA requirements, must be audit trailed. The representatives said that the list of non-audit trailed fields would be included in the end user’s functional list. Electronic copies of audit trails are exportable in PDF format; we commented that, as explained above, this may not be acceptable if information in the audit trail could not be processed. We discussed changes to electronic records and suggested that an auditor should not have to comb through a separate audit trail to determine if and how an electronic record was altered. We commented that there should be some flag or indication of change in the trailed record itself. The program allows managers to configure and enforce event sequencing, so that, for example, elements in a pharmaceutical batch production record are completed in the proscribed order. 3 Manifestations of electronic signatures include the signer’s printed name, date and time of signing and the meaning of the signature. The meaning is either explicitly stated or inferred from the record’s content. Electronic signature to record linkage is attained through the database structure. The meeting concluded after about two hours. DOC ID: ProPackDataMemo of Meeting061401d.doc P. Motise 07/11/01 cc: HFA-224 HFC-200 FDA Meeting Attendees Part 11 Guidance Dockets 4 intro_and_PMX.ppt 13.06.2001 Meeting Food and Drug Administration Rockville June 14, 2001 One-Source Supplier for Enterprise Production Management Propack Data GmbH • Vincenz-Priessnitz-Str. 1 • 76131 Karlsruhe • Germany • www.propack-data.com Propack Data Corporation • 2000 Regency Parkway, Suite 375 • Cary, NC 27511 • USA • www.propack-data.com PD - PRESENTATION TEAM ■ Christian Fortunel President Propack Data Corporation phone: (919) 465 17 41 x312 e-mail: [email protected] ■ Hermann Schaefer Director Customer Services U.S. Propack Data Corporation phone: (919) 465 17 41 x313 e-mail: [email protected] ■ Dr. Gerhard Werling Director Quality Management & Validation Services Propack Data GmbH, Germany phone: +49-721-9650-835 e-mail: [email protected] PD_FIRST.ppt 2 (c) Propack Data © Propack Data 2001 1 intro_and_PMX.ppt 13.06.2001 AGENDA ■ INTRODUCTION ■ COMPANY OVERVIEW ■ PMX ARCHITECTURE ■ VALIDATION APPROACH ■ IMPLEMENTATION OF 21 CFR PART 11 ■ DISCUSSION PD_FIRST.ppt 3 © Propack Data 2001 OBJECTIVE ■ Provide insight into PMX system functionality with special focus on implementation of 21 CFR Part 11 ■ Get feedback of Propack Data‘s interpretation of 21 CFR Part 11 PD_FIRST.ppt 4 (c) Propack Data © Propack Data 2001 2 intro_and_PMX.ppt 13.06.2001 AGENDA ■ INTRODUCTION ■ COMPANY OVERVIEW ■ PMX ARCHITECTURE ■ VALIDATION APPROACH ■ IMPLEMENTATION OF 21 CFR PART 11 ■ DISCUSSION PD_FIRST.ppt 5 © Propack Data 2001 GLOBAL ACTION - LOCAL REACH Propack Data Corporation American Headquarters Cary, NC, USA Branch Offices in Parsippany, NJ Chicago, IL (planned) Propack Data S.r.L. Vimercate (MI), Italy Propack Data Ltd. Stansted/ London, UK Propack Data GmbH Global Headquarters Karlsruhe, Germany Branch Offices in Propack Data S.A.S. Toulouse, France PD_FIRST.ppt 6 (c) Propack Data Bad Säckingen, Bad Wurzach, Bergisch Gladbach, Leipzig © Propack Data 2001 3 intro_and_PMX.ppt 13.06.2001 HISTORY & OUTLOOK Products & Markets Expansion ASIA Expansion AMERICAS 02 First CTM Solution SAP Partnership 99 Expansion EUROPE 97 ISO 9001 Certification 96 First MES Solution Company Foundation 00 94 91 84 The Complete Solution PD_FIRST.ppt 7 © Propack Data 2001 STRONG FOCUS ON PHARMA Biotechnology 3% Fine Chemicals & Cosmetics 5% Food & Beverage 6% Pharmaceutical 86% PD_FIRST.ppt 8 (c) Propack Data © Propack Data 2001 4 intro_and_PMX.ppt 13.06.2001 PROPACK DATA - REFERENCES WERNER & MERTZ GMBH • MAINZ Nahrungs mittel ALUTAS PD_FIRST.ppt 9 © Propack Data 2001 QM CERTIFICATE & CUSTOMER AUDITS Since 1994 ISO 9001 Certification CUSTOMER AUDITS - last three years Since 01/2001 ISO 9001:2000 Certification PD_FIRST.ppt 10 (c) Propack Data © Propack Data 2001 5 intro_and_PMX.ppt 13.06.2001 AGENDA ■ INTRODUCTION ■ COMPANY OVERVIEW ■ PMX ARCHITECTURE ■ VALIDATION APPROACH ■ IMPLEMENTATION OF 21 CFR PART 11 ■ DISCUSSION PD_FIRST.ppt 11 © Propack Data 2001 INTEGRATED SOLUTION Key Performance Metrics ERP Application Connector LIMS DMS EPM DATA ARCHIVE LOGISTICS Application Connector AUTOMATION PD_FIRST.ppt 12 (c) Propack Data © Propack Data 2001 6 intro_and_PMX.ppt 13.06.2001 PMX THE COMPLETE SOLUTION Paramount Efficiency and Quality Utmost Flexibility Research & Development Management Manufacturing Execution System Total Quality Management Complete Control and Overview Clinical Trial Management PD_FIRST.ppt 13 Manufacturing Quality Service © Propack Data 2001 PMX IMPROVES cGMP COMPLIANCE “Improve cGMP compliance” Material Reconciliation DISY Weigh / Dispense Authorization Control EBR Batch Record Audit Trail EDB Controls for identification Recipe Management EINLOP Sequencing of Work Flow LIMOS Device checks Material Identification PALETTI Lot Management Archiving PDB Reporting PEPS Staff Qualification Maintenance PD_FIRST.ppt 14 (c) Propack Data TEDIS © Propack Data 2001 7 intro_and_PMX.ppt 13.06.2001 EBR LIMOS DISY PALETTI EINLOP EDB PMX ARCHITECTURE PMX Application Framework Integration Framework - PMX Kernel Oracle Database PD_FIRST.ppt 15 © Propack Data 2001 PRODUCTION KNOWLEDGE MANAGEMENT EDB n n n n PD_FIRST.ppt 16 (c) Propack Data Master data management - work centers - BOM items - storage - company and shift calendars - users Version-controlled master data - Master recipe procedures - bills of material - Master recipes - SOPs - Master recipe operations Electronic signatures Editor (Word-compatible) © Propack Data 2001 8 intro_and_PMX.ppt 13.06.2001 ELECTRONIC BATCH RECORDING EBR n Interactive HTML-based on-line process control n Operator-related electronic signature n Electronic link to batch processing technology via PLC, scales, process equipment n Automated generation of the production protocol PD_FIRST.ppt 17 © Propack Data 2001 PRODUCTION DATA AND BATCH ARCHIVE PDB n SQL-based reporting functions n Long-term batch archive n External archive management n PD_FIRST.ppt 18 (c) Propack Data Document scanning © Propack Data 2001 9 intro_and_PMX.ppt 13.06.2001 PRODUCTION SCHEDULING & CONTROL EINLOP n Electronic planning board n Interface to ERP n Optimal order sequencing n Optimization of set-up times n Resource requirements n Personnel placement plan n Checking of dates and resources n Simulations n Monitoring of order progress PD_FIRST.ppt 19 © Propack Data 2001 QUALIFICATION MANAGEMENT PEPS n Personnel qualification data n Staff qualification, training administration n Plant- / GxP- and SOP-related instructions n Order-related placement planning n GxP Training Management n Trigger based deviation reporting n PD_FIRST.ppt 20 (c) Propack Data Reports © Propack Data 2001 10 intro_and_PMX.ppt 13.06.2001 QUALITY MANAGEMENT QUIBS n GLP/FDA-compliant master data management (check plans, check items, processes, etc.) n n n Process-attending in-process control during production and packaging at the work center/laboratory Sampling at goods receipt/issue as well as during process Order processing in analytic, microbiology and stability laboratories (chemical/physical and microbiological analysis procedures) n n n n Batch control and evaluation on the basis of research results Quality certificates/Certificates of analysis Documentation, reports Automatic download of check results PD_FIRST.ppt 21 © Propack Data 2001 DISPENSING AND WEIGHING SYSTEM DISY n Identification of containers and input materials with RF-scanners n Recipe-based weighing n Open scales interfaces, automation of dosage device n Labeling, weighing protocol, batch documentation n Integration with EBR PD_FIRST.ppt 22 (c) Propack Data © Propack Data 2001 11 validation_approach.ppt 13.6.2001 AGENDA ■ INTRODUCTION ■ COMPANY OVERVIEW ■ PMX ARCHITECTURE ■ VALIDATION APPROACH ■ IMPLEMENTATION OF 21 CFR PART 11 ■ DISCUSSION Validation_approach / 1 © Propack Data 2001 VALIDATION STRATEGY A TWO-STEP APPROACH Pre-validation of standard solution package Validation_approach / 2 (c) Propack Data Validation of Customer System © Propack Data 2001 1 validation_approach.ppt 13.6.2001 PRE-VALIDATION OF STANDARD PACKAGE Maintenance Request Evaluation & Release Definition Release Launch User Requirement Specification Release Test Functional and Technical Specification Implementation Validation_approach / 3 © Propack Data 2001 RELEASE DOCUMENTATION Release Qualification Documentation Validation Documentation Package Solution Specification System Documentation Technical and Quality Documentation Training Documentation Next Validation_approach / 4 (c) Propack Data © Propack Data 2001 2 validation_approach.ppt 13.6.2001 Localization Pre-Validated Standard Solution Package Configuration Validation TRANSFORMATION OF STANDARD SOLUTION TO CUSTOMER SYSTEM Validated Customer System Customization Validation_approach / 5 © Propack Data 2001 PD-VISION - based on V-MODEL Support Conclusion of contract Deployment User Requirement Specification Integration & Qualification Functional and Technical Specification Implementation Validation_approach / 6 (c) Propack Data © Propack Data 2001 3 validation_approach.ppt 13.6.2001 TEST STRATEGY n Test suite with phase specific test objective and low redundancy between phases n Maximum ”re-usability” of testing n Focus on changes applied to standard software n Test specification based on documented risk analysis to access impact of changes Validation_approach / 7 IF... REPEAT ... PERFORM .. PRINT ... ENDIF © Propack Data 2001 TEST METHOD MT 630 IF... REPEAT ... PERFORM .. PRINT ... ENDIF Focus test strategy test object Software Software item item test test System System test test HW-Installation HW-Installation test test Interface Interface test test Acceptance Acceptance test test PQ PQ test test Function / Transaction Hardware Interfaces to other systems Business processes complete system in operational environment white box test black box test; Challenge Tests completeness check of functionality and Tests black box test; Challenge process level Challenge testing on test in operational environment Code for Change or Enhancement New or customized Functions New or customized interfaces GxP - relevant processes GxP - relevant data SoftwareElement Validation_approach / 8 (c) Propack Data order xyz © Propack Data 2001 4 21_CFR_Part11 13.6.2001 AGENDA ■ INTRODUCTION ■ COMPANY OVERVIEW ■ PMX ARCHITECTURE ■ VALIDATION APPROACH ■ IMPLEMENTATION OF 21 CFR PART 11 ■ DISCUSSION 21_CFR_Part_11_compact.ppt 1 © Propack Data 2001 PMX FEATURES SUPPORTING 21 CFR PART 11 COMPLIANCE A Selection: n Reporting of Electronic Records n Authority Checks n Archiving n Audit Trails n Sequencing of Steps & Events n Electronic Signature Manifestation n Signature / Record Linking n Electronic Signature Components n Controls for Identification Codes / Passwords 21_CFR_Part_11_compact.ppt 2 (c) Propack Data © Propack Data 2001 1 21_CFR_Part11 13.6.2001 21 CFR PART 11 REQUIREMENTS §11.10(b) §11.10(b) The The system system shall shall provide provide the the ability ability to to generate generate accurate and complete copies of records accurate and complete copies of records in in both both human readable and electronic form suitable human readable and electronic form suitable for for inspection, inspection, review, review, and and copying copying by by the the agency. agency. Implementation in PMX Reporting Features 21_CFR_Part_11_compact.ppt 3 © Propack Data 2001 21 CFR PART 11 REQUIREMENTS §11.10(c) §11.10(c) The The system system shall shall ensure ensure the the protection protection of of records records to to enable enable their their accurate accurate and and ready ready retrieval retrieval throughout throughout the the records records retention retention period. period. §11.10(d) §11.10(d) Limiting Limiting system system access access to to authorized authorized individuals individuals must be ensured. must be ensured. Implementation in PMX User Authorization Access Restrictions Archiving Features 21_CFR_Part_11_compact.ppt 4 (c) Propack Data © Propack Data 2001 2 21_CFR_Part11 13.6.2001 21 CFR PART 11 REQUIREMENTS §11.10(e) §11.10(e) The The system system must must provide provide secure, secure, computer-generated, computer-generated, time-stamped audit trails time-stamped audit trails to to independently independently record record the the date and time of operator entries and actions date and time of operator entries and actions that that create, create, modify, modify, or or delete delete electronic electronic records. records. Record Record changes shall not obscure previously changes shall not obscure previously recorded recorded information. information. Implementation in PMX Audit Trail Version Control 21_CFR_Part_11_compact.ppt 5 © Propack Data 2001 21 CFR PART 11 REQUIREMENTS §11.10(f) §11.10(f) Use Use of of operational operational system system checks checks to to enforce enforce permitted permitted sequencing sequencing of of steps steps and and events, events, as as appropriate. appropriate. Implementation in PMX Sequencing of Actions 21_CFR_Part_11_compact.ppt 6 (c) Propack Data © Propack Data 2001 3 21_CFR_Part11 13.6.2001 21 CFR PART 11 REQUIREMENTS §11.10(g) §11.10(g) Use Use of of authority authority checks checks to to ensure ensure that that only only authorized authorized individuals individuals nn can can use use the the system, system, nn electronically electronically sign sign aa record, record, nn access access the the operation operation or or computer computer system system input input or or output output device, device, nn alter alter aa record, record, or or nn perform perform the the operation operation at at hand. hand. Implementation in PMX User Authorization Certifying Authorization Access Restrictions 21_CFR_Part_11_compact.ppt 7 © Propack Data 2001 21 CFR PART 11 REQUIREMENTS §11.50(a) §11.50(a) Signed Signed electronic electronic records records shall shall contain contain information information associated with the signing that associated with the signing that clearly clearly indicates indicates all all of of the the following: following: (1) (1) The The printed printed name name of of the the signer; signer; (2) The date and time when (2) The date and time when the the signature signature was was executed; and executed; and (3) (3) The The meaning meaning (such (such as as review, review, approval, approval, responsibility, or authorship) responsibility, or authorship) associated associated with with the the signature. signature. Implementation in PMX Signature Manifestation 21_CFR_Part_11_compact.ppt 8 (c) Propack Data © Propack Data 2001 4 21_CFR_Part11 13.6.2001 21 CFR PART 11 REQUIREMENTS §11.50(b) §11.50(b) Printed Printed name name of of the the signer, signer, date date and and time, time, and and meaning meaning associated associated with with the the signature signature shall be subject to the same controls shall be subject to the same controls as as for for electronic electronic records records and and shall shall be be included included as as part part of of any any human human readable readable form form of of the the electronic electronic record record (such (such as as electronic electronic display display or or printout). printout). Implementation in PMX Management and Display of Electronic Signatures 21_CFR_Part_11_compact.ppt 9 © Propack Data 2001 21 CFR PART 11 REQUIREMENTS §11.70 §11.70 Signature/record Signature/record linking: linking: Electronic Electronic signatures signatures and and handwritten handwritten signatures signatures executed executed to to electronic electronic records records shall shall be be linked linked to to their their respective respective electronic electronic records records to to ensure ensure that that the the signatures signatures cannot cannot be be excised, excised, copied, copied, or or otherwise otherwise transferred transferred to to falsify falsify an an electronic electronic record record by by ordinary ordinary means. means. Implementation in PMX Signature / Record Linking 21_CFR_Part_11_compact.ppt 10 (c) Propack Data © Propack Data 2001 5 21_CFR_Part11 13.6.2001 21 CFR PART 11 REQUIREMENTS §11.200(a)(1) §11.200(a)(1) Electronic Electronic signatures signatures that that are are not not based based upon upon biometrics shall employ at least two biometrics shall employ at least two distinct distinct identification identification components components such such as as an an identification identification code and password. code and password. Implementation in PMX Signature Components 21_CFR_Part_11_compact.ppt 11 © Propack Data 2001 21 CFR PART 11 REQUIREMENTS §11.300 §11.300 (b) (b) The The system system shall shall provide provide controls controls ensuring ensuring that that identification identification code code and and password password issuances issuances are are periodically periodically checked, checked, recalled, recalled, or or revised revised (e.g., (e.g., to to cover cover such such events events as as password password aging). aging). Implementation in PMX Password Features Reporting for User Authorization 21_CFR_Part_11_compact.ppt 12 (c) Propack Data © Propack Data 2001 6 21_CFR_Part11 13.6.2001 Implementation of 21 CFR Part 11 in PMX 21 CFR PART 11 IMPLEMENTATION Reporting Reporting nn Every Every electronic electronic record record can can be be generated generated in in human human readable readable and and electronic electronic form form nn Standard Standard templates templates or or customized customized templates templates 21_CFR_Part_11_compact.ppt 14 (c) Propack Data © Propack Data 2001 7 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Authorization Authorization nn Two Two kinds kinds of of Authorizations Authorizations nn Operational Operational Authorization Authorization -- Execution Execution The The rights rights required required by by an an operator operator for for executing executing aa certain certain function function nn Certifying Certifying Authorization Authorization -- Approval Approval The The rights rights required required by by aa supervisor/operator supervisor/operator for for certifying certifying that that the the results results of of aa certain certain operation operation are are in in order order nn Authorizations Authorizations are are associated associated with with aa Customer-specific Customer-specific Hierarchy Hierarchy of of User User Groups Groups and and Users Users 21_CFR_Part_11_compact.ppt 15 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Access Access Restrictions Restrictions nn Login Login Features Features á á Configurable Configurable number number of of false false Login Login Attempts Attempts á á Protocol Protocol of of all all Login Login Attempts Attempts nn Password Password Features Features á á á á á á á á á á Encrypted Encrypted Storage Storage Configurable Configurable expiration expiration At At least least one one Number Number or or Special Special Character Character At At least least 66 characters characters long long Restrictive Restrictive “re-usability” “re-usability” of of passwords passwords nn Configurable Configurable Automatic Automatic Screen Screen Lock Lock mechanism mechanism during during inactivity inactivity nn Database accessible Database accessible only only through through controlled system functionality controlled system functionality 21_CFR_Part_11_compact.ppt 16 (c) Propack Data © Propack Data 2001 8 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Audit Audit Trail Trail nn Comprises Comprises the the Following: Following: •• A A time-stamp time-stamp •• Field Field name name •• New New value value within within the the field field •• Old Old value value within within the the field field •• The The kind kind of of transaction transaction -- (e.g. (e.g. create, create, delete, delete, modify) modify) •• Identification Identification of of the the operator operator (login (login name) name) •• An An electronic electronic signature, signature, whenever whenever appropriate appropriate •• The The reason reason for for the the change, change, whenever whenever appropriate appropriate nn Generic Generic Concept Concept within within PMX PMX which which can can be be configured configured for for each each Record Record Type Type separately separately -e.g. e.g. BOM, BOM, Production Production Procedure, Procedure, … … 21_CFR_Part_11_compact.ppt 17 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Version Control Work Flow Transition Graph of a Version Controlled Object n Represents workflow for data object Deletion data object Edit mode n State transition is coupled with specific authorization and electronic signature n Insertion new data Author’s signature No signature No signature Test Automatic version numbering n Old versions that have reached certain state are kept in archive Approval n System ensures that only one valid object at any one given time exists Released n Setup of different approval flows for different objects by user Stipulated period of validity and operational manager’s signature Expired period of validity Current within period of validity Valid Expired period of lidi Archive 21_CFR_Part_11_compact.ppt 18 (c) Propack Data © Propack Data 2001 9 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Version Control Change History of a Data Object 21_CFR_Part_11_compact.ppt 19 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Sequencing Sequencing of of Actions Actions Sequencing Sequencing enforced enforced through through basic basic system system functions functions and and configurable configurable mechanisms, mechanisms, as as e.g. e.g. nn User User definable definable master master batch batch record record nn Version Version graphs graphs defining defining workflow workflow from from editing editing to to archiving archiving nn Operation Operation workflow workflow for for recipe-based recipe-based weighing weighing 21_CFR_Part_11_compact.ppt 20 (c) Propack Data © Propack Data 2001 10 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Management Management and and Display Display of of Electronic Electronic Signatures Signatures nn Signature Signature components components are are displayed displayed on on every every paper paper record/screen record/screen display display as as appropriate appropriate nn For For practical practical reasons, reasons, signature signature information information can can be be displayed on demand displayed on demand 21_CFR_Part_11_compact.ppt 21 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Mandatory Signature Components Requirement: Two distinct identification components User Identification Code Password Login Name - Unique - Secret - Associated user rights - protected by password features Please enter password: ****** 21_CFR_Part_11_compact.ppt 22 (c) Propack Data © Propack Data 2001 11 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Recommendation Signature Components Requirement: Two distinct identification components Logical Key Physical Key user identification code (ID-Code) e.g. Smartcard + password with associated ID- code + differentiated user management and rights system 21_CFR_Part_11_compact.ppt 23 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Signatures Signatures Manifestation Manifestation in in PMX PMX nn Full Full name name of of signer signer stored stored within within user user profile profile and and displayed displayed in in line line of of identification identification code code nn Date Date and and time time always always stored stored and and displayed displayed together together with signature with signature nn Meaning Meaning of of Signatures Signatures nn provided provided by by context context of of signing, signing, ifif appropriate appropriate (( e.g. e.g. within within aa workflow) workflow) nn provided provided by by explicit explicit declaration declaration (e.g. (e.g. within within report) report) 21_CFR_Part_11_compact.ppt 24 (c) Propack Data © Propack Data 2001 12 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Signature Signature // Record Record Linking Linking nn Electronic Electronic Signatures Signatures are are linked linked to to Electronic Electronic Records ( Data Objects) through Database Records ( Data Objects) through Database Structure. Structure. DB DB Access Access is is controlled controlled through through Database Database Management Management System. System. Linking Linking Handwritten Handwritten Signatures Signatures nn Control Control of of Printouts: Printouts: Unique, successive Unique, successive numbering numbering of of copies copies 21_CFR_Part_11_compact.ppt 25 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Uniqueness Uniqueness of of Signatures Signatures nn PMX PMX refuses refuses non-unique non-unique user user Identification Identification Codes Codes nn User User accounts accounts that that have have been been used used cannot cannot be be deleted deleted 21_CFR_Part_11_compact.ppt 26 (c) Propack Data © Propack Data 2001 13 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Protection Protection from from Fraud Fraud System System Features Features to to prevent prevent Fraud: Fraud: nn Secure Secure Password Password Features Features nn Access Access to to Database Database only only through through System System Functions Functions nn System System Administrator Administrator has has no no knowledge knowledge of of Passwords Passwords 21_CFR_Part_11_compact.ppt 27 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Password Password Features Features nn Encrypted Encrypted Storage Storage nn “Hidden” entry “Hidden” entry of of password password on on screen screen nn Configurable Configurable Expiration Expiration nn At At least least one one Number Number or or Special Special Character Character nn At least 6 Characters long At least 6 Characters long nn Restrictive Restrictive “re-usability” “re-usability” of of passwords passwords 21_CFR_Part_11_compact.ppt 28 (c) Propack Data © Propack Data 2001 14 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Reporting Reporting for for User User Authorization Authorization nn Reporting Reporting functions functions for for user user // user user group group data data available, available, displaying displaying the the rights rights of of each each user user group group and and the the correspondence correspondence of of users users to to user user groups groups 21_CFR_Part_11_compact.ppt 29 © Propack Data 2001 21 CFR PART 11 IMPLEMENTATION Certifying Certifying Authorization Authorization -- Implementation Implementation nn Can Can be be bound bound to to Transactions Transactions such such as as nn Completion Completion of of an an Operation Operation step step -- Batch Batch Recording, Recording, Monitoring, Monitoring, Weighing Weighing and and Dispensing Dispensing nn Changing Changing the the Status Status of of aa Document Document under under Version Version Control Control nn Activation Activation of of Interaction Interaction Elements Elements nn Certifying Certifying Rights Rights are are also also Associated Associated with with either either User User Groups Groups or or Users Users 21_CFR_Part_11_compact.ppt 30 (c) Propack Data © Propack Data 2001 15 21_CFR_Part11 13.6.2001 21 CFR PART 11 IMPLEMENTATION Archiving in PMX - Concepts ProductiveDatenbase (relational) Archival Stage 1 ArchiveDatenbase (relational) Archival Stage 2 Long-term Archive (Data-oriented) Archived Archived Data Data Active Active data data with with all all dependent dependent Objects Objects Active Active data data with with all all dependent dependent Objects Objects Time Time medium medium term, term, cyclic cyclic long long term, term, cyclic cyclic Data Data format format // Storage Storage Media Media 1:1-image 1:1-image of of the the Structure Structure in in the the Productive Database Productive Database // Hard Hard Disks Disks Standardized Standardized Data Data formats formats XML, XML, HTML, HTML, PDF, PDF, …/ …/ CD, CD, DMS, DMS, … … Information Information content content Complete Complete Information Information content content of of Productive Productive Database Database compressed compressed representation representation of of the the information information Access Access Methods Methods PMX PMX Data-Viewer Data-Viewer DMS DMS 21_CFR_Part_11_compact.ppt 31 (c) Propack Data © Propack Data 2001 16