With the “21 CFR Part 11” regulation, the US Food and Drug Administration (FDA) has created clear guidelines for the safe handling of electronically recorded data. These requirements include access protection, audit trails, storage and retrieval of electronic records and the electronic signature. Companies from the pharmaceutical, chemical, medical technology and food sectors that sell their products in the USA must ensure that the IT systems they use comply with these FDA requirements.

This is why the GUARDUS MES Manufacturing Execution System has been functionally expanded based on the rules from 21 CFR Part 11. GUARDUS customers from the medical technology sector can now seamlessly implement all safety-relevant requirements with the MES solution. “Of course, we need organizational measures and procedural instructions defined by the customer for this. But to meet these conformity criteria, we also give the user a helping hand and talk about system architecture as well as software design and

configuration made clear recommendations ”, says Simone Kirsch, CEO of GUARDUS Solutions AG from Zusmarshausen. In this way, GUARDUS significantly supports its customers in eliminating the risk of forgeries, misinterpretations and incomprehensible changes to electronic data and signatures.

Access protection

The requirement of the Food and Drug Administration clearly states that access to electronic records must be restricted to authorized and qualified persons only. “In the course of digitization, the risk increases every day that sensitive patient, consumer or product data will fall into the ‘wrong hands’. So it is absolutely understandable that the requirements of the FDA address this potential security gap, ”explains Simone Kirsch. How does GUARDUS MES fulfill the required access protection? The central user administration of GUARDUS MES can be provided with clear access rights via the integrated authorization administration at field and functional level. Using the combination of user ID and password, both individual users and entire user groups are assigned individual rights for access to data (display, change, delete etc.) as well as to resources and programs. In addition, the existing standard security mechanisms of the underlying Oracle database as well as the existing Windows and UNIX servers take effect. In connection with the Microsoft Windows user administration, the GUARDUS Access Manager also controls the “password awareness” of the user. In other words: password aging, new password after logging in for the first time or user lock if you try to enter the password incorrectly several times. In addition, the existing standard security mechanisms of the underlying Oracle database as well as the existing Windows and UNIX servers take effect. In connection with the Microsoft Windows user administration, the GUARDUS Access Manager also controls the “password awareness” of the user. In other words: password aging, new password after logging in for the first time or user lock if you try to enter the password incorrectly several times. In addition, the existing standard security mechanisms of the underlying Oracle database as well as the existing Windows and UNIX servers take effect. In connection with the Microsoft Windows user administration, the GUARDUS Access Manager also controls the “password awareness” of the user. In other words: password aging, new password after logging in for the first time or user lock if you try to enter the password incorrectly several times.

Audit trails

The FDA specification for audit trails states the following: All user actions that create, change or delete an electronic data record must be saved and, above all, recorded in a computer-generated manner, including time stamps. That is why the Audit Trail is implemented consistently in the entire GUARDUS system. Any data change is logged – be it in user administration, be it with process data (e.g. measured and error values) or with data that arise during operation (e.g. parameters, message acknowledgments or releases). These recordings are stored centrally in the database and can be archived, read, printed or output in common file formats at any time.

Storage, protection, reproducibility and retrieve ability

What many companies know about the revision security of electronic data is also required by the FDA. Authorized GUARDUS users have access to original data including the audit trail and release information at any time. The data is both printed on paper and exported in a wide variety of formats, such as ASCII, XLS or PDF. Depending on customer requirements, a suitable document management and archive system can also be connected to GUARDUS MES.

Electronic signature

Measures for personal identification using digital signatures are also clearly specified. In addition to biometric systems, only processes based on different identification mechanisms, such as user ID plus password, are permitted. This specification can also be implemented in GUARDUS without any problems, as identification takes place via user ID and password.