Product

Compliance with 21 CFR Part 11

Overview

Part 11 in Title 21 of the Code of Federal Regulations includes the US Federal guidelines for storing and protecting electronic records and applying electronic signatures. Shimadzu Scientific Instruments' Class-VP 7" Chromatography Data System (CDS) was designed to provide a full feature set to help companies using chromatography instrument comply with this ruling. In this page, each section of 21 CFR Part 11 is examined, and the solution that the Class-VP 7" provides is discussed.

Electronic Records

11.10a
Has the system been validated in order to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records?

Yes

Shimadzu Scientific Instruments has extensively validated Class-VP 7 performance with tests written to specifically evaluate accuracy, reliability and consistent performance. All data, sequences and methods have embedded audit trails that are CRC checksummed to discern invalid or altered records.

11.10b

Is the system capable of generating accurate and complete copies of all required records in both human readable and electronic form suitable for inspection, review and copying by the FDA?

Yes

Class-VP 7 maintains the integrity of all data files using a unique checksum algorithm. These files and the resulting reports are available for review and inspection.

11.10c

Are the records protected to enable the accurate and ready retrieval throughout the record retention period?

Yes

All records are protected in secure storage locations and are readily retrievable through an add-on database package.

11.10d

Is system access limited to authorized individuals?

Yes

Class-VP 7 authenticates users based on Microsoft® Windows NT/2000/XP name and password security. The system administrator assigns rights to each function in the software per individual.

11.10e

Is there a secure, computer-generated, time-stamped audit trail that independently records the date and time of operator entries and actions that create, modify, or delete electronic records?

Yes

The secure, computer-generated, time-stamped audit trail is embedded with the data itself to insure long-term retention and association.

11.10e

When records are changed, is previously recorded information left unchanged?

Yes

All changes are added to the audit trail, as well as all copies of results and methods are embedded in the data file. There is no overwriting of information.

11.10e

Are electronic audit trails kept for a period at least as long as their subject electronic records' and available for agency review and copying?

Yes

The secure, computer-generated, time-stamped audit trail is embedded with the data itself to insure long-term retention and association. The audit trail can be reviewed and printed.

11.10 (f)

Are operational system checks used to enforce permitted sequencing of steps and events?

Yes

Within Class-VP 7, users are stepped through sequences and events. When steps are performed out of sequence, users are prompted with an error message.

11.10(g)

Are authority checks in place to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand?

Yes

Class-VP 7 authenticates users based on Microsoft® Windows NT/2000/XP name and password security. The system administrator assigns rights to each function in the software per individual.

11.10(h)

Are device checks used to determine, as appropriate, the validity of the source of data or operational instruction?

Yes

Integration with instruments through comprehensive automation and control provides various levels of device and validity checks depending on the instrument make and model. To gain access to the system, a user's access rights are verified when logging on.

11.10(i)

Do the persons who develop, maintain, or use electronic records/signature systems have the education, training, and experience to perform their assigned tasks?

Yes

Records of the educational and employment history of Shimadzu Scientific Instruments employees are verified and kept with personnel records that can be made available during an on-site audit of SSI. Users of Class-VP 7 at a customer location will be required to show records or education, training and/or experience with the system. Training is available from Shimadzu Scientific Instruments.

11.10(j)

Have written policies been established, and adhered to, that hold individuals accountable and responsible for actions initiated under their e-signatures in order to deter record and signature falsification?

N/A

It is the responsibility of the organization implementing electronic signatures to develop written policies that ensure that individuals responsible for signing documents understand that their electronic signature is as equally binding as their handwritten signature.

11.10(k)(1)

Are there adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance?

N/A

While documentation is available for Class-VP 7 users and administrators, controls over the storage and distribution of this material are the responsibility of the end user.

11.10(k)(2)

Are there formal revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation?

Yes

Shimadzu Scientific Instruments' quality process includes formal written revision and change control procedures for systems documentation.

Controls for Open Systems

11.30

Are there procedures and controls used to protect the authenticity, integrity and confidentiality of the electronic records from their creation point to the point of their receipt?

N/A

Class-VP 7 is a closed system.

11.30

Are additional measures used to ensure the confidentiality of the electronic records from the point of their creation to the point of their receipt?

N/A

Class-VP 7 is closed system.

Signature Manifestations

11.50 (a)

Do the signed electronic records contain information associated with the signing that clearly indicates the following:

1. Printed name of signer,
2. Date and time that the signature was executed,
3. The meaning associated with the signature?


Yes

Both the machine-readable data and the human readable report contain the name, date / time and meaning.

11.50 (b)

Are these items part of any human readable form of the electronic record?

Yes

Both the machine-readable data and the human readable report contain the name, date / time and meaning.

Signature / Record Linking

11.70

Is the electronic signature linked to its respective electronic record to ensure that the signature cannot be excised, copied or otherwise transferred to falsify an electronic record by ordinary means?

Yes

Signed records have a unique checksum, which prevents signatures from being excised, copied or otherwise transferred.

General Requirements

11.100 (a)

Is each electronic signature unique to one individual and not reused by, or reassigned to, anyone else?

Yes

Through the use of Microsoft® Windows NT/2000/XP security, users signatures are unique and cannot be reused or reassigned.

11.100 (b)

Are the identities of the individual verified prior to the establishment, assignment, and certification or otherwise sanctioning an individual's electronic signature or any element of an electronic signature?

N/A

This would be a requirement of the customer before implementing electronic signature procedures and / or assigning electronic signature privileges to an individual.

11.100 (c)

Has the Company delivered it corporate electronic signature certification letter to the FDA?

11.100 (c)(1)

Is it in paper form with a traditional handwritten signature?

11.100 (c)(2)

Can additional certification or testimony be provided that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature?

N/A

It is the Company's responsibility, before a submitting electronically signed documentation to the FDA, to register their intent to use electronic signatures. In addition, training programs must be in place to ensure that users signing documents electronically understand the legal significance of their electronic signature.

Electronic Signature Components and Controls

11.200 (a)(1)

Does the e-signature employ at least two distinct identification components such as User ID and password?

Yes

The Class-VP 7 electronic signature tools consist of two components, username (unique) and password.

11.200 (a)(1)(i)

When an individual executes a series of signings during a single, continuous period of controlled system access, is the first signing executed using all the electronic signature components?

Yes

When an individual signs the first of a series of documents during a single period of controlled access the user is required to enter both signature components; username / password.

11.200 (a)(1)(i)

When an individual executes a series of signings during a single, continuous period of controlled system access, is each subsequent signing executed using at least one electronic signature component that is only executable by, and designed to be used by, the individual?

Yes

When a Class-VP 7 user executes a series of continuous electronic signatures (defined as signatures executed within a system administrator determined period of time) they are required to enter username, password and reason on the first signature only. Each subsequent signature requires only the user's password, which is known only to the user.

11.200 (a)(1)(ii)

When an individual executes a series of signings not performed during a single, continuous period of controlled system access; does each signing executed require all signature components?

Yes

When a Class-VP 7 user executes a series of non-continuous electronic signatures (defined as signatures executed outside of a system administrator determined period of time) they are required to enter username, password and reason on each signature.

11.200 (a)(2)

Are controls in place to ensure that only their genuine owners can use the electronic signature?

Yes

Through the use of Microsoft® Windows NT/2000/XP security, no two users can have the same username and password.

11.200 (a)(3)

Are the electronic signatures to be administered and executed to ensure that the attempted use of an individual's electronic signature by anyone other than its genuine owner requires the collaboration of two or more individuals?

Yes

Class-VP 7 uses the user's user name and password to initiate the electronic signature. The system can be configured such that an administrator can assign an initial password to a user for new account or forgotten password, but the user is required to change that password on their first login. In this manner the username / password combination is known only to the individual.

Controls for Identification Codes / Passwords

11.300 (a)

Are controls in place to ensure the uniqueness of each combined identification code and password maintained, such that no two individuals have the same combination of identification code and password?

Yes

Through the use of Microsoft® Windows NT/2000/XP security, no two users can have the same username and password.

11.300 (b)

Are controls in place to ensure that the identification code and password issuance is periodically checked, recalled, and revised?

Yes

Through the use of Microsoft® Windows NT/2000/XP security, identification codes and passwords can be periodically checked, recalled and revised. The customer should prepare procedures stating how often passwords must be changed.

11.300 (c)

Are there loss management procedures in place to electronically disable lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information?

Yes

A Class-VP 7 administrator can at any time disable a user account, or issue a new password to an existing account in the event the account becomes compromised.
If a Class-VP 7 user forgets his / her password, the system administrator can issue a new one. The user can be required to change this temporary password at their next login attempt.

11.300 (d)

Are transaction safeguards in use to prevent unauthorized use of passwords and/or identification codes?

Yes

Class-VP 7 can be configured such that only the user knows their username / password identification code. Passwords are always displayed as asterisks and are stored encrypted within the database so that even an administrator cannot see them.

11.300 (d)

Are transaction safeguards in use to detect and report in an immediate and urgent manner, any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management?

Yes

Class-VP 7 can be configured such that unauthorized access attempts lock out the user account and send email notification to a system administrator.