STANDARD OPERATING PROCEDUREPage 1 of 10
Document Number: S-551 Version 1.xx
Security and Integrity of Electronic Laboratory Data

Standard Operating Procedure

Security and Integrity of Electronic Laboratory Data

This is an example of a Standard Operating Procedure. It is a proposal and starting point only. The type and extent of documentation depends on the process environment. The proposed documentation should be adapted accordingly and should be based on individual risk assessments. There is no guarantee that this document will pass a regulatory inspection.

Publication from

Global on-line resource for validation and compliance

Copyright by Labcompliance. This document may only be saved and viewed or printed for personal use. Users may not transmit or duplicate this document in whole or in part, in any medium. Additional copies and licenses for department, site or corporate use can be ordered from

While every effort has been made to ensure the accuracy of information contained in this document, Labcompliance accepts no responsibility for errors or omissions. No liability can be accepted in any way.

Labcompliance offers books, master plans, complete Quality Packages with validation procedures, scripts and examples, SOPs, publications, training and presentation material, user club membership with more than 500 downloads and audio/web seminars. For more information and ordering, visit

Company Name: /
Controls:
Superseded Document / N/A, new
Reason for Revision / N/A
Effective Date / April 1, 2012
Signatures:
Author / I indicate that I have authored or updated this SOP according to applicable business requirements and our company procedure: Preparing and Updating Standard Operating Procedures.
Name:______
Signature:______
Date:______
Approver / I indicate that I have reviewed this SOP, and find it meets all applicable business requirements and that it reflects the procedure described. I approve it for use.
Name:______
Signature:______
Date:______
Reviewer / I indicate that I have reviewed this SOP and find that it meets all applicable quality requirements and company standards. I approve it for use.
Name:______
Signature:______
Date:______

1.PURPOSE

FDA's 21 CFR Part 11 and EU Annex 11 require procedures and technical controls in place to ensure integrity and security of regulated electronic records. This SOP describes requirements and steps to meet these requirements in laboratories.

2.SCOPE

The SOP applies to electronic records in GxP regulated laboratories. The SOP reflects the FDA’s approach for scope and application of 21 CFR Part 11 according to Reference 4.2., the EU GMP Annex 11 according to Reference 4.3 and according to FDA’s recent inspection and enforcement practice.

3.GLOSSARY/DEFINITIONS

Item / Explanation
GxP / Good x Practices where x can stand for
L=Laboratories, M=Manufacturing, C=Clinical
Electronic Record / Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.
Predicate Rule / Requirements set forth in the Public Health and Safety (PHS) Act, or any FDA regulation, with the exception of Part 11. Examples are Good Laboratory Practice, Good Manufacturing Practice and Good Clinical Practice Regulations.
GxP Record / Record required to be maintained by predicate rules or submitted to the FDA under the predicate rules.
RS / Requirement Specifications

Note: For other definitions, see .

4.REFERENCE DOCUMENTS

4.1.Code of Federal Regulations, Title 21, Food and Drugs, Part 11 Electronic Records; Electronic Signatures; Final Rule; Federal Register 62 (54), 13429-13466.

4.2.FDA Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Applications (Final version August 2003).

4.3.EU GMP Annex 11: Computerized Systems, update 2011

4.4.Checklist E-148-03: “Security and Integrity of Electronic Data in Laboratories”, Available through

4.5.SOP S-323: Review of Electronic Audit Trail
Available through

5.RESPONSIBILITIES

5.1.Users of Computer Systems

5.1.1.Get trained on data integrity and security.

5.1.2.Have ultimate responsibility of data integrity and security

5.1.3.Verify that all related security and integrity functions are implemented in the software and activated

5.2.Process Owner

5.2.1.Takes the lead in defining developing integrity and security related procedures

5.2.2.Takes the lead in defining and implementing integrity and security related software functions.

5.3.Laboratory Manager

5.3.1.Ensures that all staff working in FDA regulated laboratories are trained on the importance and requirements for data integrity and security.

5.3.2.Follow up on any reports from staff about data security and integrity

5.4.Quality Assurance Department

5.4.1.Advises on regulations and guidelines related to Part 11and EU Annex 11.

5.4.2.Checks if processes and documentation are in compliance with internal policies and regulations/guidelines.

5.4.3.Reviews and approves procedures related to data integrity and security

5.5.IT Department

5.5.1.Orders and installs integrity and security related functions.

5.5.2.Takes the lead in validating security and integrity related software functions.

6.PROCEDURE

6.1.Acquire and share information on regulatory requirements

6.1.1.A team consisting of QA, IT and user departments identifies Part 11 / EU Annex 11 requirements related to security and identify. Sources are:

  • 21 CFR Part 11 (Ref 4.1)
  • Part 11 Guide, Scope and Applications (Ref 4.2 )
  • Annex 11 (Ref 4.3 )
  • FDA Warning Letters ( search for security and integrity)
  • QA organizes a training for all employees in all affected laboratories

6.2.Develop Required Procedures

6.2.1.The processowner Identifies procedures that are required to comply with data integrity and security related requirements. Examples for procedures are listed in Attachment 7.1

6.2.2.Using a template as shown in Attachment 7.1 the process owner documents which procedures have to be developed

6.2.3.With the help of affected laboratories, IT and QA the process owner manages development of the missing procedures

6.3.Identify, purchase and install related software functions

6.3.1.Together with IT and affected laboratories the process owner Identifies software functions that are required to comply with data integrity and security related requirements. Examples for related software functions are listed in Attachment 7.2

6.3.2.Using a template as shown in Attachment 7.2the process owner documents which software functions are available or have to be developed.

6.3.3.IT contacts the software vendor and purchases a related software update.

6.3.4.IT installs and configures updated software as purchased in 6.3.3

6.4.Validate related software functions

6.4.1.With the help of IT and affected laboratories develops validation and test plan validate the system. This should ensure that the updated software is suitable for its intended use. Examples for required validation activities are listed in Attachment 7.3.

6.4.2.Representatives of user departments execute the test plan as defined in 6.4.1

6.4.3.The process owner prepares the validation package.

6.4.4.The validation package is reviewed and approved by QA and IT.

6.5.Activities when using computer systems and creating regulated records

6.5.1.Before using the system the first time users should verify that the all software functions as identified in 6.3.1. are implemented and configured. The template in Attachment 7.2 can be used as checklist.

6.5.2.After records have been created the audit trail table should be reviewed by an independent review. The review should follow the procedure in Ref 4.5

6.5.3.Any unusual audit trail entries should be reported to QA and the process owner for suitable follow-up.

6.6.Follow-up

6.6.1.The process owner with the help of the affected laboratory management makes an assessment of the unusual audit trail entries on product quality.

6.6.2.For critical audit trail items the process owner suggests further actions, such as identification of the root cause and development of corrective and preventive action plans.

6.6.3.QA verified as part of internal audits that requirements as defined in 6.5.1.

6.7.Documentation

6.7.1.The process owner collects maintains all documents as generated in 6.1to 6.6

6.7.2.The documents in 6.7.1should be archived for as long as related records have to be archived.

7.Attachment

7.1.Attachment –Examples for Procedures

# / Required Procedures / Available
yes/no
1 / Unique identification of each employee through user ID
2 / Company procedure and rules for issuing, maintaining and using password
3 / Development and maintenance of user lists
4 / Back-up of data
6 / Definition of user privileges in line with roles and responsibilities
6 / Definition of raw data and complete records for each application
7 / Retention of raw data
8 / Destruction of documents
9 / Review of audit trail
10 / Validation of software
11 / Accountability of individuals for data integrity and security

7.2.Attachment - Examples for software functions

# / Required Software functions / Available
yes/no
1 / Limited access to authorized users with authority checks
2 / Handling the companies password rules
3 / Handling the company’s user access privileges
4 / Electronic audit trail
5 / Storing and arching complete electronic records as required by predicate rules
6 / Indicating record changes after initial entry on the print out
7 / Linking paper print-outs to electronic records
8 / Data back-up according to the company’s back-up procedure
9 / Application specific automated timer-outs
10 / Pat 11 compliant electronic signature if required by business process

7.3.Attachment - Examples for Validation Activities

# / Required Validation Activities / done
yes/no
1 / Update validation master plan to validation requirements for data security and integrity related functions
2 / Update user requirement specifications
3 / Limited and authorized access to individual users
4 / User privileges
5 / Electronic audit trail
6 / Linking electronic records to signatures
7 / Data back-up, arching and retrieval
8 / Electronic signature (if required by process)

(Replace with your company’s name) FOR INTERNAL USE