What Is 21 CFR Part 11 Compliance?

Overview of 21 CFR part 11

 

Traditionally companies have submitted documents to the FDA on paper with hand-written signatures. The FDA saw that technology was finally to the point to where it was time for them to allow electronic submissions. However they also saw that although the submissions of electronic documents would simplify things greatly, it would also complicate things. The FDA decided to write some guidelines that if followed would ensure data integrity, security and accountability for submissions made. These guidelines were called 21 CFR part 11.

There are two aspects that need to be followed in order for a company to implement the 21 CFR part 11 guidelines. The first is software related which is what Spectrex offers and the second has to do with your company introducing Standard Operating Procedures relating to the CFR guidelines. The information presented here will pertain only towards Spectrex’s software solution Datacom.

The 21CFR part 11 specifies guidelines for what they term Closed (computer) Systems and Open (computer) Systems. A Closed System is a system maintained on a dedicated connection between the source (i.e. The PC2200 Liquid Particle Counter) and the storage (a database on the hard drive on your computer) where open external access is not permitted. In an Open System data is collected from multiple locations and stored in one common location or database. Access to this database must be strictly maintained and requires encryption to ensure the validity of the data. Spectrex Datacom currently only follows the recommendations for Closed Systems.

Closed systems have security requirements that specify controls for the authenticity and integrity of electronic records. The following list shows what is required:

  • Data must be retrievable for audit, or review in a human readable format.
  • Audit Trails must exist, be secure, date and time stamped and must be un-editable.
  • Security controls are in place to ensure;
  • No two individuals have the same combination of user name and password .
  • Periodic changing of identification codes and passwords .
  • Loss management and replacement procedures.
  • Guarding against unauthorized use.
  • Reporting of unauthorized use .

 

How Spectrex Datacom has Implemented 21 CFR part 11

 

Spectrex Datacom along with our PC2200 Liquid Particle Counter is the complete solution for your company. We offer a Windows® 2000/XP based compatible software package which provides secure collection, storage, analysis and report generation of data reported by the PC2200 Liquid Particle Counter. To ensure that the electronic records (data) can be verified as genuine, trustworthy and as reliable as the original, Datacom uses an SQL database which requires a user name and a strong password with a minimum of 6 characters to access its data. To ensure that access to the stored data meets all the controls required for closed systems the following features have been implemented:

  • An audit trail tracks Datacom generated events, including invalid login attempts, instrument onsite calibrations, and configuration changes.
  • The Administrator enters each user’s information (i.e. name, title etc.) and every user is assigned a unique user name and password .
  • Upon the user’s first login the user is prompted to change their password.
  • Passwords are required to follow strong password requirements with a minimum of 6 characters.
  • No two users may have the same exact user name /password combination.
  • Passwords are saved with triple DES encryption.
  • There is a mandatory password change after 90 days.
  • Controlled access rights and authorization.
  • Users are required to login using both their unique user name and password.
  • After 3 wrong login attempts, an entry is made into the invalid login log.
  • User accounts can be de-activated.
  • Access to SuperCount® particle counting software is ONLY available from within Datacom.
  • All measurements performed must be electronically signed and verified by the user in order to save the data to Datacom.
  • All measurement data is saved with;
  • Time and Date of the measurement
  • User name
  • The users electronic signature verifying the data’s validity
  • All reports, whether viewed, printed or exported contain the user’s name and user name and the time and date of the measurement.
  • Secure PDF generation of reports with digital IDs.