Compliance and control
The requirements specified within U.S. Food and Drug Administration (FDA) 21 CFR Part 11 – Guidance for industry and European Commission (EMEA Annex 11) are important considerations for any regulated laboratory using a data management system for electronic records and signatures. Our software has been developed with the requirements of 21 CFR Part 11 and Annex 11 in mind and facilitates compliance as long as SOPs are followed.
Compliance is a combination of the software’s functionality (complete audit trails, controlled data entry and electronic signatures) together with the specific configurations applied, associated training records, operating instructions and other items associated with the implementation.
Together with the software, Terrington Data Management provides training, validation services (IQ/OQ/PQ) and post-implementation support.
Accurate and complete records
Any laboratory software (ELN or LIMs) should record an accurate and complete record of any electronic data entered into the system. A record is not accurate if the data entered is not controlled. Updates to any data field should be restricted and no data should be deleted. The system should also detect any invalid records.
Our software complies with these requirements. All data entered into the system is recorded and shown the audit trail for each data set. For example, Balance calibration records will show every event from the selection of the balance to the signatures for completion. Any invalid data is flagged-up via “Exceptions”. No data can be altered unless a role permits it.
Controlled access to electronic records
User access to applications and/or studies should be controlled. Access should be based on authorisation levels, roles and permissions for an individual user (or users within a group), which in turn should reflect individual training records and any other statutory requirement.
You can control any level of access with our software. Roles can be created which allow a specific level of access to be defined. The role (or roles) can then be applied to a user. A user with that role can then be subsequently applied to an application. Therefore, a user can have one access profile in one application and a different profile in another application. The software allows you control access on a per user basis or user groups (teams).
Your software system must automatically generate an audit trail to ensure that records are accurate and any deviation is logged. An audit trail must record the date and time and user ID of all data entered into the system. An audit record must be preserved, not changed or deleted.
Every single data point entered into our software is recorded along with the user ID, local time and date stamp. Any deviation is highlighted, every comment is recorded. The audit record is held with the data template and cannot be deleted or changed. A system audit log also records any invalid log-ins, any global changes (permissions allowing) and any system errors.
All digital signatures in an electronic record should include the name/ID of the person signing the record, the date and time when signature was entered. A user should not be able complete a signature without user name and password and if they do not have the appropriate permissions. Ideally, signatures should be completed in sequence. For example, “Approved By” should not be completed before “Complied By”.
Our software controls sign-offs based on roles/permissions and includes user name, time and date stamp. You cannot sign-off if your role does not permit it and you must enter your user name password. The order in which sign-offs are completed can be configured using “hold points”.
Your software should be validated in accordance with regulatory recommendations. This should include an installation record (IQ), operational qualification (OQ) and performance qualification (PQ). OQ should be performed on the permanent/production platform where the software is to be used. PQ should be performed on each data collection template to ensure that any embedded calculation output is accurate, any data linking performs as expected, security fields are controlled and any peripheral functions (e.g., label configurations) are operational.
We supply IQ as standard and we can provide OQ scripts or perform OQ for you. PQ is performed in accordance to your SOPs, but Terrington Data Management can advise on the protocols required.