Introduction

On August 20, 1997, the US Food and Drug Administration (FDA) regulation 21 CFR Part 11 on Electronic Records and Electronic Signatures came into effect. 21 CFR Part 11 (Part 11 for short) defines the FDA’s acceptance criteria for the use of electronic records and signatures instead of records in paper form and handwritten signatures on paper. Electronic records and signatures must be just as trustworthy, reliable and equivalent as traditional records. The application of this regulation is mandatory for the use of electronic records and signatures.

However, Part 11 only applies to records that are made in accordance with the FDA guidelines (as in the so-called predicate rules) or which must be submitted to the FDA in electronic form. There are various interpretations and recommendations on this subject from the FDA as well as the ISPE and PDA. In addition to the use of electronic records and signatures, it is possible to continue to use conventional paper-based documents and handwritten signatures or a combination of the two.

To help our customers, Siemens, as the provider of SIMATIC PCS 7, evaluated version 7.0 of the system based on these requirements. The evaluation results of the evaluation of the SIMATIC PCS 7 V7.0 process control system are published in this paper.

The components examined were operator station (client and server), engineering system, SIMATIC BATCH (client and server) and S SIMATIC PCS 7 V7.0 fully meets the functional requirements of 21 CFR Part 11.

In conjunction with organizational measures and procedural instructions to be established by the customer, operation in accordance with the regulations is guaranteed. Siemens’ recommendations for system architecture, design and configuration will help the customer achieve compliance. You can find additional information and help in the GMP engineering manual: SIMATIC PCS 7 guidelines for implementing automation projects in a GMP environment.

In addition to the pharmaceutical industry, the FDA requirements are also used in other so-called life sciences (e.g. food technology, cosmetics and care products). The requirements of Part 11 can be interpreted. This document is based on the internationally recognized current interpretation of the ISPE CoP GAMP and PDA.

If a company’s interpretation of a requirement deviates from the one given here, please contact the Competence Center Pharma of Siemens AG A&D in Karlsruhe for more information (see last page for contact details). This document consists of three parts. The first part contains a brief overview of the requirements of Part 11, the second part describes solutions from the point of view of SIMATIC PCS 7 V7.0 in the context of these requirements and the third part contains a detailed system evaluation according to ISPE / PDA 1. 1 Good Practice and meeting the requirements for electronic records and signatures; Part 2 Fulfillment of the requirements of 21 CFR Part 11, Electronic records and electronic signatures; ISPE and PDA 2001/2002 34th1.

The requirements of FDA 21 CFR Part 11 at a glance 21 CFR Part 11 takes account of the fact that the risk of manipulation, misinterpretation and incomprehensible changes in electronic records and signatures is greater or more severe than with conventional paper records and handwritten signatures are to be discovered. For this reason, additional measures are necessary. The terms, electronic record / electronic document mean any combination of text, graphics, data, audio, visual, or other forms of information in digital form that is created, modified, maintained, archived, retrieved, or distributed on a computer system.

The term, electronic signature means a conversion into computer data of each symbol or a series of symbols, performed, accepted, or authorized by a person to be a legally binding equivalent of a handwritten signature.

Requirement Description Validation All GMP-relevant automated systems must be validated in order to guarantee precise, reliable and consistent data processing in accordance with the specifications. Audit trails All operations that create, change or delete an electronic record must be recorded in a secure, time-stamped, computer-generated audit trail.

Storage, protection, reproducibility and retrieve ability  The systems must be able to archive, protect and make available the records during the specified retention period. The systems must be able to reproduce electronic records in both human readable and electronic form. Document Control System operation and maintenance documentation must have controls over access, review, distribution, and use.

Electronic signature certification

 for the FDA The systems must offer measures to ensure that the use of the electronic signature is restricted to the real owner only and that attempted use by third parties is immediately detected and recorded. Non-biometric systems must use two different identification mechanisms (user ID / password). User ID and password must be entered before signing and at least the password must be entered for each subsequent signing action during the same session. The electronic signature may not be reused or passed on.

The purpose of the electronic signature must be clearly stated. After all, the system should contain functions in order to prevent the electronic signature from being falsified by standard tools. There must be written provisions in place to hold individuals accountable for actions taken under their electronic signature. A written certificate must be given to the regional FDA office confirming that the electronic signatures match the traditional handwritten signatures and are therefore also legally binding. 2. Response from SIMATIC PCS 7 V7.0 to 21 CFR Part 11 Access protection Audit Trail Archiving and retrieving archived data Electronic signature 2.

System solution for access protection The SIMATIC Logon software package is used to define an MS Windows security mechanism with authorization levels in the WinCC user administration. Based on the user groups, the authorizations are defined with authorization levels in the user administration of PCS 7 OS. The individual users and their assignment to Windows user groups are defined in the Windows user administration. SIMATIC Logon establishes the connection between the Windows user groups and the PCS 7 OS user groups. In this way, the following access protection requirements are met:

 Central administration of users (setup, deactivation, blocking, unblocking, assignment to user groups) is carried out by the administrator.

Unique combination of user ID and password. Definition of access rights for groups and users.