GxP regulated industry assessments of SoftMax Pro Software
This document outlines references to 21 CFR Part 11 and EudraLex Annex 11 and how they apply to the implementation of SoftMax® Pro GxP Data Acquisition and Analysis Software in regulated environments.
What is Part 11?
Though Part 11 is not a mandate for the use of electronic or computerized systems, it allows the use of electronic records, safeguards the integrity of computerized systems, data, and the validity of electronic signatures. Most recently, the FDA enforces data integrity as a vital part of ensuring the safety of medical products for human and veterinary use. The FDA can exercise “enforcement discretion” in the areas of validation, audit trails, retention of records and record copying on electronic records.
It is appropriate for users who create, modify, or delete regulated records to review an audit trail as it reveals malicious intent, such as tampering with data and fabrication of results.
What is Annex 11?
Annex 11 is a guidance document that supplements the European Union’s GMP rules: EudraLex Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice which applies to any human and veterinary medicinal products manufactured or sold in the European Union.
This annex applies to all computerized systems used in GMP regulated activities and ensures computerized systems used in the manufacture of medicinal products have no impact to product quality or product safety.
In general, when a computerized system replaces a manual operation, Annex 11 ensures there are no additional risks.
While Annex 11 and Part 11 are mutually aligned with the goal of safe, validated computerized systems for drug and medical device manufacturing, their approach to this goal is different. Annex 11 is more a guideline and not a legal requirement, where Part 11 is fully enforceable under federal law.
Whose responsibility is it to validate the system?
A regulated customer, or those that manufacture food or drugs for human and veterinary consumption are required to comply to regulations. SoftMax Pro GxP Data Acquisition and Analysis Software, including GxP Admin Portal (Molecular Devices), is not subject to FDA regulatory requirements but can ensure their customers achieve their compliance to 21 CFR Part 11 and EudraLex Annex 11.
Annex 11 mentions a process owner, system owner, qualified person, and IT. On the customer side, it is the ‘system owner’ (usually IT management) or the ‘business process owner’ (usually lab managers) who interface with IT are ultimately responsible for validation. A validation team should be representative of multiple stakeholders.
- Quality Assurance (QA) ensures a thorough review to verify local corporate quality standards are met.
- Department heads are vital, as they provide the business case and resources for validation.
Impact of compliance vs. non-compliance
Costs to validate multiple computerized systems can be significant and efforts must be carefully planned to identify resources, procurement and project expenses. Some organizations may enlist third parties to design and execute computerized system validation, but the responsibility for the validation effort and maintaining a compliant validated system cannot be delegated and remains with the regulated customer per regulations in 21 CFR Part 11 and EudraLex Annex 11.
Public record of judgements against pharmaceutical or independent/contract labs show that the cost of non-compliance is significant (can be in the millions of dollars) for lost productivity and revenue, costs for rework, and reputation with investors and customers.
Federal regulatory agencies have the authority to show up unannounced to conduct audits/investigations. If auditors find observations, they may issue verbal warnings or Form 483s. These can escalate into warning letters for more serious violations. These can lead to shutdown of manufacturing operations, or products may not be permitted for distributed within the United States.
The Code of Federal Regulations (CFR) is a codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government.
It is divided into 50 titles that represent broad areas subject to Federal regulation.
Title 21 of the CFR is reserved for rules regulated by the Food and Drug Administration (Dept. of Health and Human Services), the Drug Enforcement Administration (Dept. of Justice) and the Office of National Drug Control Policy.
- Part 11 – Electronic Records; Electronic Signatures
Volume 4 of “The rules governing medicinal products in the European Union” contains guidance for the interpretation of the principles and guidelines of good manufacturing practices for medicinal products for human and veterinary use.
The GMP Guide is presented in three parts and supplemented with annexes that represent broad areas subject to Federal regulation.
- Annex 11 – Computerized Systems
Table 1: Assessment of 21 CFR Part 11 Compliance for SoftMax Pro GxP Software.
§11.10 – Controls for Closed Systems
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include:
Each SoftMax Pro GxP Software data document file has its own audit trail.
The GxP Admin Portal software maintains system audit trail information that reports end user activities within the software and database.
(k) Use of appropriate controls over systems documentation including:
- Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
- Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
§11.50 – Signature manifestations
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
- The printed name of the signer;
- The date and time when the signature was executed; and
- The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
Statements and document audit trails are available in SoftMax Pro GxP Software.
System audit trail is available in GxP Admin Portal software.
§11.70 – Signature record/linking
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
§11.100 – General Requirements
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
§11.200 – Electronic Signature components and controls
(a) Electronic signatures that are not based upon biometrics shall:
- Employ at least two distinct identification components such as an identification code and password.
- When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
- When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
§11.300 – Controls for Identification codes/passwords
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
Table 2: Assessment of EudraLex Volume 4 (Annex 11) Compliance for SoftMax Pro GxP Software.
1. Risk management
Risk management should be applied throughout the lifecycle of the computerized system, taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.
There should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.
3. Suppliers and Service Providers
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.
Molecular Devices provides customized software validation services that could include automated processes.
Molecular Devices certified Field Service Engineers (FSEs) provide IQ/OQ or PM/OQ services for plate readers.
4.2 Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.
SoftMax Pro GxP Software has built-in protocol files that work with the SpectraTest Validation plates.
SoftMax Pro GxP Software allows for customizable protocol files.
7. Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.
8.1 It should be possible to obtain clear printed copies of electronically stored data.
9. Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data The reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.
10. Change and configuration management
Any changes to a computerized system including system configurations should only be made in a controlled manner in accordance with a defined procedure.
11. Periodic evaluation
Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports.
12.1 Physical and/or logical controls should be in place to restrict access to computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.
User IDs and passwords are configured in the GxP Admin Portal software.
User access can be deactivated and passwords can be reset in the GxP Admin Portal software. Token access is not used by SoftMax Pro GxP Software nor can it be configured in the GxP Admin Portal software.
14. Electronic Signature
Electronic records may be signed electronically. Electronic signatures are expected to:
- have the same impact as hand-written signatures within the boundaries of the company
- be permanently linked to their respective record
- include the time and date that they were applied
16. Business Continuity
For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.
Proven GxP solutions to assure data integrity and compliance
Our mission at Molecular Devices is to assist our customers in achieving compliance in GLP (good laboratory practices) and GMP (good manufacturing practice) regulated labs. We have developed proven GxP compliance solutions with microplate detection systems and software. Combined with installation and validation services along with IQ/OQ support, our solutions assure data integrity.