File info: application/pdf · 15 pages · 317.56KB
"OpenLab CDS Compliance" white paper
Data Integrity Software Solutions for Your Lab | Agilent
Full PDF Document
If the inline viewer fails, it will open the original document in compatibility mode automatically. You can also open the file directly.
Extracted Text
White Paper
Support for Title 21 CFR Part 11 and Annex 11 compliance: Agilent OpenLab CDS
Valid for OpenLab CDS version 2.6
Overview
US FDA Part 11 in Title 21 of the Code of Federal Regulations (CFR), and its EU analog, Eudralex Chapter 4, Annex 11, describe the requirements for electronic records and electronic signatures for regulated pharmaceutical organizations. Released in 1997, 21 CFR Part 11 has been enforced since 1999. The intent of these guidelines is to ensure that all appropriate electronic records are attributable, legible, contemporaneous, original, accurate, and maintained with integrity. This white paper is a resource for users of Agilent OpenLab CDS systems whose organizations must comply with these regulations. OpenLab CDS controls acquisition and processing of LC, GC, single-quadrupole LC/MS and GC/MS, and A/D data. It is the responsibility of the user and their organization to ensure that the functionalities provided by OpenLab CDS are used appropriately to achieve compliant operation for laboratory data acquisition and processing. In addition to the technical controls OpenLab CDS provides, the user organization must establish procedural controls�standard operating procedures (SOPs)� to address relevant non-technical requirements. For example, controls such as internal audit programs, must also be established to ensure that system operators follow the SOPs. Appendix 1 provides a detailed description of how OpenLab CDS supports users and their organizations in achieving the requirements of each section of 21 CFR Part 11 and the related sections of EU Annex 11. The descriptions assume that system access, including instrument hardware and software, is controlled by the staff responsible for the electronic records contained on the system. Thus, the system is designed as a "closed system" as defined in 21 CFR Part 11.3(b)(4).
21 CFR Part 11 21 CFR Part 11 covers three specific elements of a regulated laboratory's operation:
� Security of electronic records,
� Attribution of work,
� Electronic signatures (if used)
Security Security can be interpreted as "the right people, having the right access, to the right information." Regulated organizations must be able to both verify the identity of system users and limit system access to trained, authorized individuals (11.10(d), (i) and (g); 11.100(b)). Because laboratory staff have different responsibilities based on their job assignments, data access must be segregated and defined such that certain users have certain types of access to certain sets of data while potentially having different access to other data sets.
Attribution of work Attribution of work refers to documenting the "Who, what, when, where and why?" of work performed. Automated audit trails independently record users actions thus connecting laboratory staff to the work they perform. Audit trail entries enable staff and regulatory inspectors to reconstruct the complete history of an electronic record.
� Who: clearly identifies the person responsible for the particular action that creates, modifies, or deletes a record.
� What: is the action that took place, including, if applicable, the old value and the new value contained in the record.
� When: unambiguously declares the date and time the action took place.
� Where: clearly identifies the impacted record.
� Why: explains the reason for a change to a regulated record. The reason is often selected from a list of pre-defined reasons to provide consistency and to enable searching and sorting of entries.
eSignatures While 21 CFR Part 11 does not require the use of eSignatures, it does provide regulations for their use when they are used. In this case, the system must ensure that eSignatures:
� Are irrevocably linked to their respective records.
� Show the full name of the signer, date and time, as well as the meaning of, or reason for, the signature (such as review, approval, responsibility, or authorship).
� Are present whenever the signed records are displayed or printed.
"Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users."
� Botha, Eloff, IBM Systems Journal1
2
Appendix 1. Satisfying the requirements set forth in US FDA Title 21 CFR Part 11 and related global regulations using OpenLab CDS. Appendix 1 Table: Notes Column one The table addresses 21 CFR Part 11 requirements in the order that they are presented in the US FDA reference document.2 Related requirements such as those found in EU Annex 113 follow each section of Part 11.
Column two For completeness, column two lists all requirements of 21 CFR Part 11 and other related global requirements. "System" refers to the analytical system used to acquire and process data.
1. Validation
Most requirements are fulfilled by either technical controls (i.e., software functionality) or procedural controls (i.e., SOPs). Technical controls are controls provided by the software and hence the software supplier, while procedural controls are the responsibility of the user organization. 21 CFR Part 11 requirements listed in bold are requirements addressed by technical controls. Other global requirements are listed in regular font. Requirements that must be addressed by procedural controls are listed in blue.
Column three
Some requirements involve both technical and procedural controls. Responsibilities for each requirement are listed in column three. "S" refers to analytical system supplier. "U" refers to the user organization. Rows containing
requirements that must be exclusively addressed by the user organization are shown in blue. Blue may also be technical controls the user will be responsible to implement.
Column four If available and where appropriate, related global requirements and comments are provided in column four.
Column five Column five indicates with a "yes" or "no" whether the requirement can be satisfied using the technical controls provided in OpenLab CDS. N/A is not applicable to the CDS.
Column six Column six explains how the regulatory requirement can be satisfied using the technical controls provided by OpenLab CDS. Column six also provides additional recommendations for the user organization when relevant.
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Yes/No
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation
Part 11 11.10(a)
1.1 Is the system validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records?
S, U Required by all regulations.
Yes
This is a typical example of shared responsibility between the system supplier and the user organization. While the user organization has ultimate responsibility for validation, some tasks can only be done and must be delivered by the software supplier, e.g., validation activities during development and related documentation.
Agilent Technologies has extensively verified the performance of OpenLab CDS using tests that evaluate accuracy, reliability and consistent performance. However, the user organization is required to validate their analytical system according to regulatory expectations.
With respect to Agilent OpenLab CDS, "regulated records" are:
� Instrument Tune parameters
� Acquisition methods
� Acquired data
� Analysis methods
� Analysis results
� Report Templates
� Sequence template
� Executed sequence
� Associated audit trails/Electronic signature
OpenLab CDS check-sums these records to discover any "invalid or altered records." If an invalid or altered record is discovered, an error is displayed and the user is not able to open the files.
Annex 11 1.2 Is infrastructure qualified?
U
Annex 11.Principle B Brazil GMP 577
N/A
Qualification of infrastructures, such as servers and networks, is the responsibility of the user organization.
3
2. Accurate Copies and Secure Retention and Retrieval of Records
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Yes/No
Part 11 11.10(b)
Annex 11 Brazil
Part 11 11.10(c)
2.1 Is the system capable of generating S
Yes
accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA?
2.2 Is it possible to obtain clear printed
S
Annex 11.8.1 Brazil GMP 583
Yes
copies of electronically stored e-records?
2.3 Are there controls to make sure that the data backup, retrieval and maintenance process is duly carried out?
S, U Brazil 585.2
Yes
2.4 Does the system protect records to
S, U China GMP 163
Yes
enable their accurate and ready retrieval
throughout the records retention period?
Annex 11 2.5 Are data checked during the archiving U Annex 11.17
N/A
period for accessibility, readability, and
integrity?
Annex 11 2.6 If relevant changes are made to the
S, U Annex 11.17
Yes
system (e.g., computer equipment or
programs), is then the ability to retrieve
the data ensured and tested?
Annex 11
2.7 Are data secured by both physical and electronic means against damage?
S, U Annex 11.7.1
Yes
Brazil GMP 584
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Records are available printed on paper or electronically as a PDF file.
Records are available printed on paper or electronically as a PDF file.
Backing up data is the responsibility of the user organization. Detailed instructions are available for creating the appropriate scheduled backup of all relevant files. 5, 6
All raw data, metadata, and result data generated by OpenLab CDS is stored in a protected location. Physical security (control of physical access to workstations and servers) is the responsibility of the user organization. It is the user organization's responsibility to develop a review by exception protocol based on a risk-based assessment of unplanned events, such as network connectivity loss which would initiate a failover mode. 7
It is the responsibility of the user organization to ensure data are checked during archival for accessibility, readability, and integrity.
The system is designed to read data from legacy versions of OpenLab CDS. The user organization is responsible for ensuring readability of this data during their implementation and validation processes.
All Raw data, Metadata, result data generated by the system is stored in a protected location. Physical security is the responsibility of the user organization.
4
2. Accurate Copies and Secure Retention and Retrieval of Records continued
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Clinical guide
Clinical guide
Annex 11
2.8 Are there controls implemented
S
that allow the reconstruction of the
electronic source/raw documentation for
FDA's review of the (clinical) study and
laboratory test results?
2.9 Does the information provided to FDA U fully describe and explain how source/ raw data were obtained and managed, and how electronic records were used to capture data?
2.10 Does the system allow performing S regular backups of all relevant data?
Clinical Computer Guide F2 FDA Q&As
Clinical Computer Guide F2 FDA Q&As
Annex 11.7.1 China GMP 163 Brazil GMP 585 Part 211, 68 b
Annex 11
Clinical Computer Guide
2.11 Is the integrity and accuracy of backed-up data and the ability to restore the data, checked, validated, and monitored periodically?
2.12 Are procedures and controls in place to prevent the altering, browsing, querying, or reporting of data via external software applications that do not enter through the protective system software?
U Annex 11.7.2 China GMP 163 Brazil GMP 585 Part 211, 68 b
S, U Clinical Computer Guide E
Clinical Computer Guide
2.13 Are there controls implemented to prevent, detect, and mitigate effects of computer viruses, worms, or other potentially harmful software code on study data and software?
S, U Clinical Computer Guide F
Yes/No Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
All raw data is maintained in secure storage to allow reconstruction of laboratory test results as needed.
N/A
It is the responsibility of the user organization
to describe how source/raw data were
obtained and managed, and how electronic
records were used to capture data.
Yes
Backing up data is the responsibility of the
user organization.
Detailed instructions are available for creating the appropriate scheduled automatic backups of all relevant files. 5, 6
N/A
It is the responsibility of the user organization
to ensure the integrity and accuracy of backed-
up data, and to check, validate and monitor
restored data periodically.
Yes
OpenLab CDS is preconfigured with FTP
services enabled to facilitate bulk data
operations. Due to the inherent limitations
of FTP services, permissions may not be
consistent with the permissions granted in the
CDS. Therefore, Agilent recommends disabling
FTP services when not needed. See the
Administrator's Guide for details.
N/A
Agilent has tested OpenLab CDS in conjunction
with industry standard anti-virus applications.
However, it is the responsibility of the user
organization to implement anti-virus software.
3. Authorized Access to Systems, Functions, and Data
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Part 11 11.10(d)
3.1 Is system access limited to authorized persons?
S, U China GMP 183 163 Brazil GMP 579, ICH Q7.5.43
Clinical
3.2 Is each user clearly identified, e.g., through his/her own user ID and Password?
3.3 Are there controls to maintain a cumulative record that indicates, for any point in time, the names of authorized personnel, their titles, and a description of their access privileges?
S, U Several Warning Letters S, U Clinical Computer Guide 4
Yes/No Yes Yes Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Each user is identified by a unique ID and password combination. Entry of both is required to access the system.
Each user is identified by a unique ID and password combination. Entry of both is required to access the system.
OpenLab CDS is able to authenticate users via either the Windows Domain or locally in the application itself. Access privileges are set in the application and any changes are recorded in the activity log. Reports are available that show users' individual and inherited group privileges. These reports are useful for organizations required to perform periodic security reviews.
5
4. Electronic Audit Trail
Part 11
Requirement
and Others
Part 11 11.10(e)
4.1 Is there a secure, computergenerated, time-stamped audit trail to independently record the date and time of operator entries and actions that create, modify, or delete electronic records?
S, U Other associated regulations and comments
Yes/No
S
China GMP 163
Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
All user activities are recorded in secure, computer generated, time-stamped audit trails. Audit trails are created for all result data, methods, and sequences.
FDA GLP 4.2 Does the audit trail record who has
S
FDA 21 CFF 58.130 e
Yes
made which changes, when and why?
Clinical Computer Guide 2
Clinical Source Data 3
Annex 11 4.3 Can the system generate printouts
S
Annex 11, 8.2
Yes
indicating if any of the e-records have
been changed since the original entry?
FDA GMP 4.4 Does the audit trail include any
S
Part 211.194 8b
Yes
modifications to an established method
employed in testing?
4.5 Do such records include the reason for the modification?
4.6 Is the audit trail function configured S, U Warning Letter
Yes
to be always on and can it not be
switched off by system users?
Annex 11 4.7 Is audit trail available in a generally
S
Annex 11, 9
Yes
intelligible form for regular review?
Part 11 11.10(e)
4.8 Can audit trail contents be configured S such that only relevant activities are recorded for realistic and meaningful review of audit trail information?
4.9 Is previously recorded information
S
left unchanged when records are
changed?
Implicitly required by Annex 11 with
Yes
many warning letters related to review of
audit trail.
Yes
Part 11
4.10 Is audit trail documentation
S, U
Yes
11.10(e)
retained for a period at least as long as
that required for the subject electronic
record?
Part 11
4.11 Is audit trail available for review and S
Yes
11.10(e)
copying by the FDA?
Annex 11 4.12 Is it possible to obtain clear printed S
Annex 11, 8.1
Yes
copies of electronically stored e-records
(e.g., e-audit trail?)
The audit trail includes the user ID, date and time of the change, and the before and after values together with the reason why the change was made. Audit trails for records can be printed from any audit trail window.
Methods have full audit trails, including the reason for any method modification.
Once audit trails are activated for a project, they cannot be de-activated by any user.
Audit trails are readily available in a configurable viewer accessed from a central location. The audit trail viewer can indicate which audit trail entries have been reviewed. OpenLab CDS allows the audit trail to be filtered prior to displaying its contents to address user preferences for reviewing the information. Changes are stored as new revisions of the original, which is left unchanged. During selection of results for further processing or reporting, the version of the result used can be chosen by the user (based on their permissions.) Audit trail information is stored within the electronic record and cannot be separated from it.
Audit trails can be reviewed and printed.
Audit trails can be reviewed and printed.
6
5. Operational and Device Checks
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Part 11 11.10(f)
Part 11 11.10(g)
5.1 Are there operational system checks S to enforce permitted sequencing of steps and events, if required?
5.2 Are there authority checks to ensure S that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand?
Part 211, 68 b
Part 11 11.10(h)
Part 11 11.10(i)
5.3 Is the system designed to record the S identity of operators entering, changing, confirming or deleting data including date and time?
5.4 Does the system allow use of device S checks to determine, as appropriate, the validity of the source of data input or operational instruction?
5.5 Is there documented evidence that
U
persons who develop, maintain, or use
electronic record/electronic signature
systems have the education, training, and
experience to perform their as-signed
tasks?
Annex 11, 12.4
There are two equally valid interpretations of this requirement. Systems should be designed such that: 1. Proper communication is confirmed
between the computer and the "source" of data input (i.e., the instrument) prior to transmission of instructions to or data from the "source." 2. Regulated records created by the system must unambiguously indicate the "source" of the data (i.e., which instrument or component generated the data.)
China GMP 18 Brazil 571
Part 11 11.10(j)
5.6 Is there a written policy that holds
U
individuals accountable and responsible
for actions initiated under their electronic
signatures, in order to determine record
and signature falsification?
5.7 Have employees been trained on this procedure? (Implied requirement of Part 11 11.10(j))
Yes/No N/A
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
It is the responsibility of the user organization to designate and enforce procedural controls.
Yes
The system supports configurable user roles
that control system access at a detailed level.
Access can segregated and defined such that
certain users have certain specific types of
access to certain specific types of data sets
while having different access to other types of
data sets.
Yes
The identity of operators taking action in the
system is recorded in the both the audit trail
and activity log.
Partially
1. The system is designed to continually ensure a valid connection between the instrument and the computer workstation.
2. Identification of certain instrument components such as LC modules and MS instruments are not supported in OpenLab CDS and are thus are not indicated in electronic records as the data source.
N/A
It is the responsibility of the user organization
to maintain documented evidence that
the persons who develop, maintain, or use
electronic record and electronic signature
systems have the education, training, and
experience needed to perform these tasks
Agilent software professionals involved in development of OpenLab CDS have received training in relevant aspects of data integrity.
N/A
It is the responsibility of the user organization
to establish a written policy (SOP) and training
that holds staff responsible for the actions
initiated under their electronic signatures.
7
5. Operational and Device Checks continued
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Yes/No
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Part 11 11.10(k)
5.8 Are there appropriate controls over
U
systems documentation including:
1. Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance?
2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
China GMP 161
N/A
1. It is the responsibility of the user organization to establish systems documentation.
2. Agilent maintains development and testing documentation for OpenLab CDS. Upon request, this documentation is available for user review.
6. Data Integrity, Date and Time Accuracy
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Yes/No
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Annex 11 6.1 Do computerized systems that
S
ex-change data electronically with other
systems include appropriate built-in
checks for the correct and secure entry
and processing of data?
Annex 11.5
N/A
In this context, OpenLab CDS does not
exchange data with other systems.
Annex 11
6.2 Is there an additional check on the accuracy of the data? This check may be done by a second operator or by validated electronic means.
S, U Annex 11-6 Brazil GMP 580 ICHQ7-5.45
OpenLab CDS allows for multiuser review and approval using an eSignature workflow.
Clinical Computer Guide
6.3 Are controls established to ensure that the system's date and time are correct?
S, U Clinical Computer Guide D.3
Yes
Agilent recommends that the system be
configured to reference a time server to ensure
accuracy of the system date and time. This is
configured in and controlled by the operating
system.
Clinical Computer Guide
6.4 Can date or time only be changed by authorized personnel, and is such personnel notified if a system date or time discrepancy is detected?
S
Clinical Computer Guide D.3
N/A
OpenLab CDS is designed to synchronize with
local Windows time.
It is the user organization's responsibility to:
� Limit access controls of Windows time settings to only authorized personnel.
� Maintain procedural controls for setting and maintaining the accuracy of Windows time.
Clinical Computer Guide l
6.5 Are timestamps with a clear
S, U Clinical Computer Guide D.3
understanding of the time zone reference
used implemented for systems that span
different time zones?
Yes
All time data is time stamped in Coordinated
Universal Time (UTC)/Greenwich Mean Time
(GMT) and displayed in the local time of the
computer used.
8
7. Control for Open Systems (Only Applicable for Open Systems)
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Part 11 11.30
Part 11 11.30
7.1 Are there procedures and controls
S, U
designed to ensure the authenticity,
integrity, and, as appropriate, the
confidentiality of electronic records from
the point of their creation to the point of
their receipt?
7.2 Are there additional measures such
S
as document encryption and use of
appropriate digital signature standards
to ensure, as necessary under the
circumstances, record authenticity,
integrity, and confidentiality?
Yes/No N/A
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
OpenLab CDS is not intended to be deployed as "open" system as per 21 CFR Part 11.3(b) (9).
N/A
OpenLab CDS is not intended to be deployed
as "open" system as per 21 CFR Part 11.3(b)
(9).
8. Electronic Signatures � Signature Manifestation and Signature/Record Linking
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Yes/No
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Annex 11 8.1 When electronic signatures are used, S, U Annex 11.14
Yes
do they have the same impact as hand-
ICH Q7.6.18
written signatures within the boundaries of the company?
Are they permanently linked to their respective record?
Do they include the time and date that
they were applied?
The user organization must establish the legal impact of electronic signatures.
Signatures are permanently linked to their respective records.
Signed electronic records includes the date and time the signature was executed.
Part 11 11.50 (a)
8.2 Do signed electronic records contain S information associated with the signing that clearly indicates all of the following:
1. The printed name of the signer?
2. The date and time when the signature was executed? and
3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature?
Yes
Signed electronic records show
1. the name of the signer,
2. the date and time the signature was executed,
3. and the meaning of the signature.
Part 11 11.50 (b)
Part 11 11.70
8.3 Are the items identified in paragraphs S (a)(1), (a)(2), and (a)(3) of this section subject to the same controls as for electronic records and are they included as part of any human readable form of the electronic record (such as electronic display or printout)?
8.4 Are electronic signatures and
S
handwritten signatures linked to their
respective electronic records to ensure
that the signatures cannot be excised,
copied, or otherwise transferred to falsify
an electronic record by ordinary means?
Yes
All electronic signature components are
displayed in a human readable form and may
be printed.
Yes
Handwritten signatures are not addressed
by the system and must be managed by
procedurally by the user organization.
Electronic signatures are embedded in the electronic record and cannot be modified, overwritten or deleted.
Part 11 Preamble
8.5 Is there a user-specific automatic inactivity disconnect measure that would ``de-log'' the user if no entries or actions were taken within a fixed short timeframe?
S
Part 11 Preamble section 124
Yes
Automatic session locking enables the user
organization to configure a time after which
the user is automatically logged-out.
9
9. Electronic Signatures General Requirements and Signature Components and Controls
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Part 11 11.100(a) Part 11 11.100(b)
Part 11 11.100 (c)
Part 11 11.200(a) (1)
Part 11 11.200(a) (1) (i)
Part 11 11.200(a) (1) (i)
Part 11 11.200(a) (1) (ii)
9.1 Is each electronic signature unique
S, U
to one individual and not reused by, or
reassigned to, anyone else?
9.2 Does the organization verify the
U
identity of the individual before the
organization establishes, assigns,
certifies, or otherwise sanctions an
individual's electronic signature, or any
element of such electronic signature?
9.3 Are persons using electronic
U
signatures, prior to or at the time of
such use, certified to the agency that
the electronic signatures in their system,
used on or after August 20, 1997, are
intended to be the legally binding
equivalent of traditional handwritten
signatures?
9.4 Do persons using electronic signatures, upon agency request provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature?
9.5 Do electronic signatures that are not S, U based upon biometrics employ at least two distinct identification components such as an identification code and password?
9.6 When an individual executes a series S of signings during a single, continuous period of controlled system access, is the first signing executed using all electronic signature components?
9.7 When an individual executes a series S of signings during a single, continuous period of controlled system access, are subsequent signings executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual?
9.8 When an individual executes one or S more signings not performed during a single, continuous period of controlled system access, is each signing executed using all of the electronic signature components?
Yes/No Yes N/A
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
The system will not allow duplicate user IDs. Each user has a unique login and thus a unique signature that cannot be used by an-other user.
It is the responsibility of the user organization to verify the identify of staff before it establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature.
N/A
It is the responsibility of the user organization
to verify that staff using electronic signatures
meet these requirements.
Yes
Both identification (user ID) and password are
required to make an electronic signature.
Yes
Both identification (user ID) and password are
required to make all electronic signatures.
Yes
Both identification (user ID) and password are
required to make all electronic signatures.
Yes
Both identification (user ID) and password are
required to make all electronic signatures.
10
9. Electronic Signatures General Requirements and Signature Components and Controls continued
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Part 11
9.9 Are controls in place to ensure that
S
11.200(a) electronic signatures that are not based
(2)
upon biometrics are used only by their
genuine owners?
Yes/No N/A
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
It is the user organization's responsibility to ensure that user names and passwords are known only by the assigned individuals and are traceable to individual users.
Part 11 11.200(a) (3)
Part 11 11.200(b)
9.10 Are the electronic signatures
S, U
administered and executed to ensure
that attempted use of an individual's
electronic signature by anyone other than
its genuine owner requires collaboration
of two or more individuals?
9.11 Are electronic signatures based
S
upon biometrics designed to ensure that
they cannot be used by anyone other
than their genuine owners?
Yes
Misuse of electronic signatures by anyone
other than the owner would require intentional
co-operation of a user and the System
Administrator.
N/A
Biometric authentication is not supported in
OpenLab CDS.
10. Controls for Identification Codes and Passwords
Part 11
Requirement
and Others
Part 11 11.300(a)
Part 11 11.300(b)
10.1 Are controls in place to maintain the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password?
10.2 Are controls in place to ensure that identification code and password issuance are periodically checked, recalled, or revised (e.g., to cover such events as password aging)?
Part 11 11.300(c)
10.3 Are there procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromise tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls?
S, U Other associated regulations and comments
S, U
Yes/No Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
OpenLab CDS does not allow duplicate user IDs.
S, U
Yes
U
N/A
Password expiration is configurable via either the Windows Domain or locally in the application itself.
The user organization should configure password expiration based on a documented risk assessment.
It is the responsibility of the user organization to establish these procedures.
11
10. Controls for Identification Codes and Passwords continued
Part 11
Requirement
and Others
Part 11 11.300(d)
10.4 Are there transaction safeguards in place to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts of their unauthorized use to the system security unit, and, as appropriate, to organizational management?
Part 11 11.300(e)
10.5 Are there controls for initial and periodic testing of devices, such as tokens or cards that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner?
S, U Other associated regulations and comments
Yes/No
U
N/A
U
N/A
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers? It is the responsibility of the user organization to establish these transaction safe-guards.
It is the responsibility of the user organization to establish controls to test devices initially as well as periodically to ensure they function properly and have not been altered in an unauthorized manner.
11. System Development and Support
Part 11
Requirement
and Others
S, U Other associated regulations and comments
Annex 11
11.1 Has the software or system been
S, U Annex 11 4.5
developed in accordance with an
Brazil GMP 577
appropriate quality management system?
GAMP
This is a shared responsibility between the system supplier and the user organization. The user should require the supplier to provide documented evidence that software is developed within the framework of a quality management system (QMS).
Yes/No Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
OpenLab CDS is developed within the ISO 9001 Quality Management Standard (Ref. section 2.2 of the LSCA Quality Manual).
Brazil
11.2 Is there a formal agreement when the software supplier subcontracts software and maintenance services. Does the agreement include the contractor's responsibilities?
S, U Brazil GMP 589
Yes
This is a shared responsibility between the system supplier and the user organization. The supplier must have such an agreement with the subcontractor, and the user must verify that the agreement is in place.
Agilent requires formal agreements with all suppliers. (Ref. section 7.4 of the LSCA Quality Manual).
12
11. System Development and Support continued
Part 11
Requirement
and Others
ICH Q10
ICH Q10
Part 11 11.10(i)
11.3 For outsourced (development and support) activities, is there a written agreement between the contract giver and contract acceptor?
11.4 Are the responsibilities and communication processes for quality related activities of the involved parties (contractors) defined?
11.5 Is personnel developing and supporting software trained?
S, U Other associated regulations and comments
S, U ICHQ10, 2.7 c
S, U ICHQ10, 2.7 c
Yes/No Yes
If yes, how, specifically, is the requirement satisfied using OpenLab CDS? If no, what is the recommendation to customers?
Agilent requires formal agreements with all suppliers (Ref. section 7.4 of the LSCA Quality Manual).
Yes
Agilent defines responsibilities of all suppliers
(Ref. section 7.4 of the LSCA Quality Manual).
S, U This is a shared responsibility between
Yes
the system supplier and the user
organization. The supplier must ensure
its staff is trained, and the user should
have assurance, e.g., through audits that
SW developers are trained and that this
training is documented.
""
All Agilent personnel are required to be trained (Ref. section 6.0 of the LSCA Quality Manual).
13
References
1. R. A. Botha and J. H. P Eloff. Separation of duties for access control enforcement in workflow environments. IBM Systems Journal� End-to-end security. 40 (3), 666-682. (2001).
2. U.S. Food and Drug Administration. CFR - Code of Federal Regulations Title 21. Title 21--Food and Drugs, Chapter I--Food and Drug Administration Department of Health and Human Services, Subchapter A-- General. Part 11 Electronic Records; Electronics Signatures [Online] https://www.accessdata. fda. gov/scripts/cdrh/cfdocs/cfcfr/ CFRSearch.cfm?CFRPart=11.
3. European Commission Health and Consumers Directorate-General. Public Health and Risk Assessment. Pharmaceuticals. EudraLex. The Rules Governing Medicinal Products in the European Union. Volume 4. Good Manufacturing Practice. Medicinal Products for Human and Veterinary Use. Annex 11. Computerised Systems. [Online] https://ec.europa.eu/health/sites/ default/files/files/eudralex/vol-4/ annex11_01-2011_ en.pdf.
4. OpenLab CDS Workstation Plus (with Content Management) Installation and Configuration Guide.
5. Agilent OpenLab Server and OpenLab ECM XT Administration Guide.
6. Agilent OpenLab CDS Acquisition Failover User Guide (Available on the OpenLab CDS installation Media).
14
www.agilent.com/chem/openlab-cds
DE44349.3664930556
This information is subject to change without notice.
� Agilent Technologies, Inc. 2021 Printed in the USA, June 2, 2021 5994-3659EN