21 CFR Part 11 Compliance

Introduction

21 CFR Part 11 is a regulation issued by the US Food and Drug Administration (FDA) that sets guidelines for electronic records and electronic signatures used in FDA-regulated industries, such as pharmaceutical, biotechnology, and medical device companies.

Compliance with these regulations is important for our customers in order to avoid fines or product recalls, ensure data integrity and efficiency via secure electronic records, and to break out into international markets governed by similar compliance regulations.

This module guide provides links the 21 CFR Part 11 compliance assessment in addition to IQ/OQ templates to assist during the computer system validation process.

1. Login Security
2. Extensive User Permission Options
3. Digital Signoff of Production
4. IT Administrator Role
5. Electronic Batch Records (EBR)
6. Custom IQOQ Implementation for Customers
7. Updated Digital Record Keeping Abilities
8. Locking Application Licenses to Specific Devices

By default, V5 Traceability applications usually require a 4-digit pin code to provide login. However, with the advent of the latest version of v5.8, the system now features a more robust and secure username and password option that can be enabled upon a customer’s request.

This can be enabled per V5 application or system wide, such as for Control Center:

As well as the Terminal and WMS applications (Terminal shown):

For these applications, failed login attempts will be registered:

And after a set amount of failed login attempts (which can be set by management in Control Center), the user’s account will be locked and a supervisor or manager would have to override this lockout.

This can be overridden by managers in the ‘Operators’ section of Control Center, where the locked user’s password can also be edited under the ‘Secondary Password’ field.

As we can see here, a password expiry field has also been added to this section of Control Center. This allows managers to set password expiry dates as they please. Let’s take ‘Nick Brown’ as an example and change their password expiry to today’s date.

With this done and this user tries to log in, they will be met with the following message allowing them to change their password upon expiry:

Resetting a password in this way would add a configurable amount of days to the current password expiry date, depending on how often managers desire changes to be enforced. Managers can also override this new date in Control Center if desired.

V5 Traceability offers comprehensive user privilege options to ensure that only suitably qualified users can perform certain tasks within the system. This includes:

• Preventing access to certain areas or even applications within the system.
• Assigning supervisor roles to managers to allow them to sign off batches (see below), approve new/changes to formulations and perform system overrides.
• Preventing users from seeing full formula compositions and/or value.
• Only allowing certain users to make inventory adjustments.

More information on the various permissions and privileges offered by V5 Traceability can be found in our module guide on the topic here.

Alongside the user permission options offered by V5 Traceability that are discussed above, the system also features an ‘IT Administrator’ role feature that can be enabled upon request. This contributes to compliance by separating the roles of user and system administration, which helps to prevent any potential conflicts of interest.

This feature can be seen here in the ‘Operators’ window:

With the feature enabled, selecting ‘User’ will allow that operator to access all areas of Control Center (assuming none are restricted in the user permissions), except ‘Operators’.

Selecting ‘IT Administrator’ will do the opposite, and allow that operator access to only the ‘Operators’ panel in Control Center.

In cases where a signoff of a batch or product is required, whether to check production equipment, or the batch/product itself, V5 Traceability can easily provide this functionality.

No configuration is required for this feature, but rather it exists as a checkbox that can easily be toggled on/off as desired under the ‘Signoff Required’ column.

When this formula is then run in Terminal, once the operator reaches the end of the batch, they will be presented with a signoff screen.

A user with supervisor permissions would then have to enter their credentials in order to complete the batch. The supervisor can use this window to review the formula to check the amounts of various commodities used and the accuracy of the mix, and also to verify that any additional instructions have been followed.

Only once the supervisor is happy with this can they sign off the batch by using their system credentials. They would also have to provide an electronic signature.

Additional reasons can be added here by setting the as ‘Batch Signoff’ types in ‘Reasons’ in Control Center. More information on this can be found in our module guide on the topic here.

Note here that users marked as supervisors in Control Center cannot sign off batches that they themselves have produced (i.e. they cannot grade their own assignment), and would need a second supervisor to provide the signoff once the batch is complete.

V5 Traceability is installed alongside the Jaspersoft Reports suite, and as such can provide 21 CFR Part 11 Compliance via reports such as the ‘Electronic Batch Record’ (EBR) report. This report can be configured to provide multiple levels of detail in order to provide accurate traceability of ingredients used, details of actions taken and by whom, signatures of signoffs provided etc., to suit any level of compliance/audit requirement.

In this instance we are looking at a similar batch of Aspirin to what we just produced in the signoff discussion above. The report generated from this will feature a log of formula step events, the amount and accuracy of the commodities used in its production, as well as providing an electronic copy of a supervisor’s signature alongside the signoff.

This report can also link to other reports such as lot traceability reports for the various components used.

SG Systems now offer a customized Installation Qualification Operational Qualification (IQOQ) process for customers wishing to comply with 21 CFR Part 11 requirements.

Each process will feature:

• Consultation sessions with a qualified SG representative.
• Full documentation for the installation of any size of formulation system, including full system layout schematics, responsibilities for the customer and SGS, how documentation will be handled, and relation to relevant 21 CFR Part 11 and associated compliance documentation & regulation.
• Electronic signature stamped documentation of the entire process, providing full accountability for the installation and testing of each element of V5 Traceability prior to release to the customer

A template IQOQ document of the kind supplied by SG Systems can be viewed here.

Designed to go hand in hand with the requirements for the IQOQ process, as well as general compliance with 21 CFR Part 11, further modifications have been made to V5 Traceability to facilitate:

• Activation log for V5 Traceability, providing information on when the system was first initialized by SG Systems.
• Installation logs for all V5 applications, documenting the SG representative who performed the initial installation of the application, along with the date and timestamp.
• An update log that holds records of any application updates performed in the system, including the SG representative who performed the update, along with the date and timestamp.

From v5.8 onwards, each device that is to host a V5 application needs to be registered with SG Systems. These devices are then tied to the specific, named, licenses of the application installed on them. Once registered, these named licenses cannot be used on any other devices without assistance from SG Systems.

This feature not only helps SG Systems effectively manage licenses for our customers, but also provides improved traceability within the system by preventing unnamed or duplicate applications operating within the system and confusing any digital reports that the customer produces.