How should I evaluate iButton based temperature (Thermochron, Smartbutton) data-loggers and temperature/humidity (Hygrochron) data-loggers relative to 21 CFR Part 11 compliance?
21 CFR Part 11 is binding on all systems and applications that generate records in support of FDA regulated activities, or submissions to the FDA. Additionally, the rule is also binding on those systems that support electronic data communication with the FDA. The regulation focuses on data security, integrity and traceability. By preparing and submitting electronic records, a company is able to bring its products onto the market much faster, thereby increasing profits. In contrast though, non-compliance with the regulation will lead to regulatory scrutiny, costly rework and downtime, compromised product quality resulting in product recalls or seizure, and prosecution.
This document helps to evaluate your system relative to 21 CFR Part 11.
Note: this part applies to both closed and open systems relative 21 CFR Part 11 requirements.
'Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.'
Compliance: Opulus Quality System Manual and the corresponding SOPs support detailed Life Cycle standards in accordance of the current Software Validation Guideline of the FDA. PyroButton Standard has been developed using these requirements.
'The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.'
Compliance: PBS documents, audit trails, and other data sources are of XML format, thus their content is suitable for both human and electronic processing.
'Limiting system access to authorized individuals.'
Compliance: PBS software limits access to authorized individuals only.
'Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.'
Compliance: PBS software provides full audit trail for the Device Manager and User Manager events and supports both hardware and software encryption to prevent unauthorized modifications.
Note: Hardware encryption is available only in certain models.
'Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.'
Compliance: PBS system uses a wizard guide & control checks with pre-defined sequencing of events.
'Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.'
Compliance: PBS system includes 2 levels of security assignment, which can be utilized for pre-defined access rights. Moreover, inactive and/or disqualified users can be disabled.
'Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.'
Compliance: Each PyroButton has a burned-in unique identifier. Prior to measurement, PBS requires the registration of each PyroButton by its unique identifier. All input and output data are bound to the unique Id. Furthermore, PyroButton management functions are restricted to users having Administrator's rights.
Note: this part applies only if PyroButtons and/or PBS documents are stored, transmitted, or processed in open system relative 21 CFR Part 11 requirements.
'Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.'
Compliance: PyroButton internal memory configurations, PBS documents, and any other PBS data sources are integrity checked in PBS systems using accepted standard cryptographic methods. Moreover, if the application environment makes it necessary, it is possible to password-protect the measurement specification stored within a PyroButton.
PBS is a desktop document-oriented software solution, which does not implement an explicit global ES (electronic signature) system. For compliance requirement, PBS includes a local user management module with role based access control, and applies the appropriate ES components with respect to this local identification (e.g. when creating a measurement document). To complement the above for full compliance, PBS documents should be stored in a 21 CFR Part 11 document management system.