Compliance with regulatory requirements is a business-critical need that must be maintained, and the FDA recognizes that a technically advanced software solution can help companies manage compliance.
遵守法规要求是必须维护的关键业务需求,而且FDA认识到技术上先进的软件解决方案可以帮助公司管理合规性。
Title 21, Part 11 of the U.S. Food and Drug Administration’s (FDA) Code of Federal Regulations requires drug makers, medical device manufacturers, biotech companies, biologics developers and other FDA-regulated industries (except food manufacturers) to implement controls – including audits, validation systems and documentation – for software and systems involved in processing many forms of data as part of business operations and product development.
美国食品药品监督管理局(FDA)联邦法规21章第11部分要求药品制造商,医疗器械制造商,生物技术公司,生物制剂开发商和其他FDA管制的行业(食品制造商除外)实施控制措施,包括审核, 验证系统和文档–用于在业务运营和产品开发过程中处理多种形式数据的软件和系统。
在Part 11规定中,电子记录被认为具有与书面记录和手写签名同等的效力,即通过认证的软件,软件信息安全得到了有效的保障。软件在开发层面就要遵守这些认证规定。21 CFR Part 11对系统的安全要求
- 安防措施,21 CFR Part 11对系统的安全要求主要是防止未授权的人进入系统接触电子记录,更改和删除电子记录和电子签名。
- “许可”机制,“许可”机制确保用户能修改自己的纪录,但只能读(不能修改)其他用户的记录,通过管理个人文件和目录来实现。每个用户根据分配给其不同的权限被设定成一个特定的用户角色(如管理员、主管、技术员、操作员等),也就说定义角色时含分配权限。
- 可信赖记录,可信赖记录的先决条件,除了数据安全性外,就是可追溯性。“没有写下来的东西就是谣言”在FDA检查过程中,审计员将查阅实验室日志来检查分析过程。
日志的内容将不能够用普通的方法被修改或删除。
审核跟踪是确保所有的数据都具有清晰完整的记录,而不是对人员进行控制或衡量工作效率。帮助记录人和复合人理解当时为何要执行特定的操作。
The regulation was created to maintain the trustworthiness, reliability and integrity of electronic records and to ensure that the authenticity of electronic records would be equivalent to paper records when submitted. All companies and industries that submit or utilize electronic records and/or signatures regulated by the FDA must comply with this federal regulation.
制定该法规是为了维护电子记录的可信赖性,可靠性和完整性,并确保电子记录的真实性与提交时的纸质记录相同。 提交或使用FDA规定的电子记录或签名的所有公司和行业,必须遵守该联邦法规。
But complying with the regulation proves to be a difficult task for most companies. Since Part 11 was introduced, manufacturers have endured much confusion as the regulation is open to a wide range of interpretations. Despite the confusion surrounding Part 11, one thing remains constant the FDA’s interpretation of the following requirements has not changed – controls for closed and open systems and electronic signatures.
但是,对于大多数公司而言,遵守法规证明是一项艰巨的任务。 自从介绍 第11部分以来,由于该法规对各种各样的解释都开放,因此制造商遭受了很多混乱。 尽管围绕 第11部分存在困惑,但一件事情仍然保持不变,FDA对以下要求的解释没有改变-封闭式和开放式系统以及电子签名的控制。
With that in mind, compliance with regulatory requirements is a business-critical need that must be maintained, and the FDA recognizes that a technically advanced software solution can help companies manage compliance. Specifically, CFR 21 Part 11 states that enterprise resource planning (ERP) systems must provide:
考虑到这一点,遵守法规要求是必须维护的关键业务需求,而且FDA认识到技术上先进的软件解决方案可以帮助公司管理合规性。 具体而言,CFR 21 的第11部分规定企业资源计划(ERP)系统必须提供:
• Extensive transaction audit functionality with field, user, time and date reference,
• Document signature printing association for technical or quality assurance generated reports,
• Digital signature to support field and/or screen level security authentication with change reason codes and access verification and historical user, time and date references.
•具有字段,用户,时间和日期参考的广泛事务审计功能,
•文档签名印刷,用于生成技术或质量保证报告,
•数字签名,支持具有更改原因代码和访问验证以及历史用户,时间和日期参考的字段和/或屏幕级别安全认证。
Further requirements are associated with the concept of “validation” for both the manufacturer and the software developer. Guidelines require that the company’s needs and intended uses of its selected software system are established and that evidence that the computer system implements those needs correctly are traceable to the system design and specification.
对于制造商和软件开发人员,“审核”的概念还有其他要求。 准则要求确定公司的需求和所选软件系统的预期用途,并且证明计算机系统正确实现了这些需求的证据可追溯到系统设计和规格。
To help companies adhere to 21 CFR Part 11, Enterprise Management offers the following functionality:
为了帮助公司遵守21 CFR Part 11,SAGE X3 ERP 提供以下功能:
Audit Trails: Associated with the creation, modification and deletion of electronic records, audit trails are now standard in Enterprise Management. The functionality records user name, date, time, previous data, new data and the reason for the change.
审计跟踪:与电子记录的创建,修改和删除相关,审计跟踪现在已成为X3中的标准。 该功能记录用户名,日期,时间,先前数据,新数据以及更改原因。
Digital Electronic Signatures: An electronic signature framework includes tables, programs, actions and objects to store, configure and collect unique e-signatures, which are permanently linked to the object and cannot be modified or copied.
数字电子签名:电子签名框架包括表,程序,操作和对象,用于存储,配置和收集唯一的电子签名,这些电子签名永久链接到该对象,无法修改或复制。
Document Signatures: Documents requiring handwritten signatures, such as Certificates of Analysis or Technical Sheets, are generated with an image linked to the specific document. The image plate is controlled and linked to the user profile.
文档签名:生成需要手写签名的文档,例如分析证书或技术图纸,并带有链接到特定文档的图像。 图像受到控制并链接到用户个人资料。
Validation Scripts: Documentation describing various process controls deployed by Sage is available. These scripts are flexible in design, associated with clearly identified and documented procedures. They are easily transferred or incorporated into custom validation and cGMP documents to support company initiatives.
审核脚本:提供了描述Sage部署的各种过程控制的文档。 这些脚本设计灵活,与明确标识和记录的程序相关联。 它们很容易转移或合并到自定义审核和cGMP文档中,以支持公司的计划。
Security Features: Several security standards safeguard against unauthorized use, including automatic logoff after a period of inactivity, auto logout after too many failed logon attempts and logging of all user activity.
安全功能:几种安全标准可防止未经授权的使用,包括一段时间不活动后自动注销,登录尝试失败过多后自动注销以及记录所有用户活动。
Managing Compliance with 21 CFR Part 11
Part 11 Clause Enterprise Management Capabilities
11.10(a) Enterprise Management manages audit trails for all electronic records, which are secured from unauthorized access.
X3部门管理所有电子记录的审计跟踪,以防止未经授权的访问。
11.10(b) All electronic records generated by Enterprise Management are accurate, complete and presented in human readable format, and they can be printed or exported into industry standard formats like Adobe PDF and XML.
X3生成的所有电子记录都是准确,完整的并以可读的格式显示,并且可以打印或导出为行业标准格式,例如Adobe PDF和XML。
11.10(c) All electronic records can be maintained in the active database or archived to accommodate all required retention periods, even after software upgrades. Access is secured and the system maintains the link between electronic signatures and electronic records even after archiving.
所有电子记录都可以保存在活动数据库中,也可以归档以适应所有要求的保留期限,即使在软件升级之后也是如此。 访问得到保护,即使在归档后,系统仍保持电子签名和电子记录之间的链接。
11.10(d) Advanced security features ensure that only authorized individuals access the system, and changes to security profiles are logged.
先进的安全功能可确保只有授权人员才能访问系统,并记录对安全配置文件的更改。
11.10(e) Electronic records for creating, modifying or deleting data are automatically generated. Records are time and date stamped with the user ID of the person who was logged on to the system. The records maintain the old and new values of the change and the transaction used to generate the record. All electronic records are maintained in the active database for required retention periods, as is the link with the electronic signature.
用于创建,修改或删除数据的电子记录会自动生成。 记录是带有登录系统的人员的用户ID的时间和日期戳。 记录保留更改的旧值和新值以及用于生成记录的交易。 所有电子记录都在活动数据库中保留了所需的保留期限,以及与电子签名的链接一样。
11.10(f) Process instruction sheets used in the manufacturing process include operational checks to enforce permitted sequencing of steps and events.
制造过程中使用的过程指令表包括操作检查,以强制执行允许的步骤和事件排序。
11.10(g) Authority checks, along with advanced security features, ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record or perform the operation at hand.
权限检查以及高级安全功能可确保只有授权人员才能使用该系统,对记录进行电子签名,访问操作或计算机系统的输入或输出设备,更改记录或执行手头的操作。
11.10(h) Terminals, measurement devices, process control systems and other input devices are maintained by the system’s advanced security features and require authorization for connection.
终端,测量设备,过程控制系统和其他输入设备由系统的高级安全功能维护,并且需要连接授权。
11.10(i) Sage requires that all personnel responsible for developing and maintaining Enterprise Management have the education, training and experience to perform their assigned tasks. Sage University offers a wide range of training classes to ensure a process of continual learning.
Sage要求负责开发和维护企业管理的所有人员必须具有教育,培训和经验,才能执行分配的任务。 Sage大学提供广泛的培训课程,以确保持续学习的过程。
11.10(j) This clause refers to procedures required of the manufacturer and is not related to Enterprise Management.
本条款指制造商要求的程序,与X3无关。
11.10(k) Enterprise Management provides a complete electronic library containing field, functional and system related documentation. Consistent updates to documentation is provided to current customers and deployed in a controlled electronic format.
X3供了一个完整的电子文档,其中包含与现场,功能和系统相关的文档。 对文档的一致更新将提供给当前客户,并以受控电子格式进行部署。
11.30 For open systems, Enterprise Management supports interfaces with partners that supply ADAPI methods with public key infrastructure (PKI) technology.
对于开放系统,X3支持与合作伙伴的接口,这些合作伙伴为ADAPI方法提供公钥基础结构(PKI)技术。
Part 11 Clause Enterprise Management Capabilities
X3能力
11.50(a) Signed electronic records within Enterprise Management contain the printed name of the signer, the date and time when the signature was executed and the activity code describing the transaction performed by the user. The system automatically records the change associated with the signature with standard descriptions of the activity the signature performed.
X3中已签名的电子记录包含签名者的印刷名称,签名执行的日期和时间以及描述用户执行的交易的活动代码。 系统会自动记录与签名相关联的更改以及对签名执行的活动的标准描述。
11.50(b) Electronic signature records are maintained in the same manner as all electronic records and can be displayed or printed in a human readable format.
电子签名记录的维护方式与所有电子记录相同,并且可以可读的格式显示或打印。
11.70 Electronic signatures are linked to their respective electronic records to ensure that the signatures cannot be excised, copied or otherwise transferred to falsify an electronic record by ordinary means. The link remains when the electronic records are archived.
电子签名被链接到它们各自的电子记录,以确保不能切除,复制或以其他方式转移签名以通过普通方式伪造电子记录。 当电子记录被存档时,该链接仍然存在。
11.100(a) User and security features ensure each electronic signature is unique to one individual.
用户和安全功能可确保每个电子签名对于一个人来说都是唯一的
11.100(b) Refers to procedures required of the manufacturer and is not applicable.
指制造商要求的步骤,不适用。
11.100(c) This clause refers to procedures required of the manufacturer and is not applicable.
本条款是指制造商要求的程序,并不适用。
11.200(a)1 Enterprise Management requires two distinct identification components – a user identification and password – to perform every electronic signature.
X3需要两个不同的标识组件–用户标识和密码–来执行每个电子签名。
11.200(a)2 This clause refers to procedures required of the manufacturer and is not applicable.
本条款是指制造商要求的程序,并不适用。
11.200(a)3 Enterprise Management user and security administration functions ensure that the attempted use of an individual’s electronic signature other than the genuine owner requires collaboration of two or more individuals.
X3的用户和安全管理功能可确保尝试使用除真实所有者以外的个人电子签名需要两个或更多个人的协作。
11.200(b) This clause refers to procedures required of the manufacturer and is not applicable.
本条款是指制造商要求的程序,并不适用。
11.300(a) Enterprise Management user and security features ensure the uniqueness of each combination of identification code and password, so that no two individuals have the same combination.
X3的用户和安全功能确保了标识码和密码的每种组合都是唯一的,因此,没有两个人具有相同的组合。
11.300(b) Enterprise Management security features can be configured to force users to change passwords periodically. The system also manages password use frequency, restricting how soon a password can be reused.
可以配置企业管理安全功能,以强制用户定期更改密码。 该系统还管理密码使用频率,从而限制了密码可以重新使用的时间。
11.300(c) This clause refers to procedures required of the manufacturer and is not applicable.
本条款是指制造商要求的程序,并不适用。
11.300(d) Enterprise Management security features safeguard against unauthorized use of passwords and/or identification codes with auto lockout after too many failed log on attempts, automatic log off after a period of inactivity and automatic log off from the first location when logging on from a second location.
X3安全性功能可防止在未经授权的登录尝试过多之后自动锁定,一段时间不活动后自动注销以及从第二个位置登录时自动从第一个位置注销,从而防止未经授权使用密码和/或标识码。
11.300(e) This clause refers to procedures required of the manufacturer and is not applicable.
本条款是指制造商要求的程序,并不适用。