Electronic Records, 21 CFR Part 11

1
Electronic Records, 21 CFR Part 11 and Oracle 9i
Shon Naeymirad Principal Analyst/DBA Abbott
Laboratories

2
Agenda

• 21 CFR Part 11
• Electronic Record
• Electronic Signature
• How to build the final rule of 21 CFR Part 11
• J2EE Platform Overview
• Oracle Application Development Framework (ADF)

3
21 CFR Part 11 Electronic Records Electronic
Signatures

• 1991, members of the pharmaceutical industry met
  with the agency to determine how they could
  accommodate paperless record systems under the
  current good manufacturing practice (CGMP)
  regulations in parts 210 and 211 (21 CFR parts
  210 and 211). FDA created a Task Force on
  Electronic Identification/Signatures to develop a
  uniform approach by which the agency could accept
  electronic signatures and records in all program
  areas.
• 1992, report, a task force subgroup, the
  Electronic Identification/Signature Working
  Group, recommended publication of an advance
  notice of proposed rulemaking (ANPRM) to obtain
  public comment on the issues involved.
• 1994. A complete discussion of the options
  considered by FDA and other background
  information on the agencys policy on electronic
  records and electronic signatures can be found in
  the ANPRM and the proposed rule.
• 1997, The final rule provides criteria under
  which FDA will consider electronic records to be
  equivalent to paper records, and electronic
  signatures equivalent to traditional handwritten
  signatures. Part 11 (21 CFR part 11) applies to
  any paper records required by statute or agency
  regulations and supersedes any existing paper
  record requirements by providing that electronic
  records may be used in lieu of paper records.
  Electronic signatures which meet the requirements
  of the rule will be considered to be equivalent
  to full handwritten signatures, initials, and
  other general signings required by agency
  regulations.

DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and
Drug Administration 21 CFR Part 11 Docket No. 92
N0251 RIN 0910AA29 Electronic Records Electro
nic Signatures
4
Paper Record
Blank Form context
Reporter Name Jim Smith Event Description
Patient Infection Event Date Jan
uary 10, 2001
Data content
Form Data record
5
Database Records
6
Database Record Data Definition
Complaint Table Complaint ID Number(10) Uniq
ue ID for complaint table Reporter ID Number(1
0) Foreign Key to Reporter Table
Complaint Desc Varchar2(4000) Description
Complaint Date Date Date of Call
Days Open Number(6) Calculated Field
7
Electronic Record - Context
8
Electronic Record - Content
9
Electronic Records
Electronic Record Context Reporter.Name Co
mplaint.Complaint Description Complaint.Date E
lectronic Record Content Jim Smith Patien
t Infection January 10, 2001 Electronic Record
Context Content Reporter.Name Jim Smith
Complaint.Complaint Description Patient Infec
tion Complaint.Date January 10, 2001
10
Paper vs. Electronic Records
Electronic Record Context Reporter.Name Co
mplaint.Complaint Desc Complaint.Date Record
definition includes 2 tables and 3 fields but
excludes 8 fields in those tables plus all fields
in the address table. Electronic Record Paper
Record Reporter.Name Jim Smith Complaint.C
omplaint Desc Patient Infection
Complaint.Date January 10, 2001
Complaint Form
Reporter Name Jim Smith Event Description
Patient Infection Event Date Jan
uary 10, 2001
11
Key Point
You must define the context of the electronic
record (i.e., the collection of fields and tables
that comprise the record) independent of the
underlying database structures.
Otherwise, you risk the interpretation that all
information in the database is part of the
electronic record.
As with any definition we need to store that
definition so it can be applied consistently and
referred to when is needed.

12
Attestation vs. Signature
Attestation, simply stated, is attesting to the
fact that a person changed a record, and links
the record to the person who changed it, and when
the change occurred. A signature, on the other
hand, implies approval, acceptance, or
authorization (like signing a check, to authorize
your bank to release funds).
Key Point Your software should differentiate bet
ween attestation and signature since you need
attestation on all required records but
signatures only on certain records as defined by
predicate rule. Dont allow IT to define what r
ecords to apply signatures.
13
Time Zone
14
UTC

• Establish a procedure for determining the local
  date and time from a time stamp based on UTC,
  Coordinated Universal Time.
  
• Coordinated Universal Time replaces Greenwich
  Mean Time to represent the Earth's prime meridian
  (0 degrees longitude). UTC is based upon the
  atomic time scale that is commonly referred to as
  GMT. In 1970 the International Telecommunication
  Union agreed upon a single acronym for use in all
  languages to be UTC.
• Oracle server date and time must be set to UTC.

15
How to build the final rule of 21 CFR Part 11
System

• Understand system requirements
• Design good data model
• Define security roles
• Enforce password change
• Build Audit Trail for all tables
• Select your framework
• Automate your development
• Performance tuning

16
Build Audit Trail

• Create history table for all tables
• Use database insert, update, delete triggers to
  build history records
  
• Record user, server date and time
• Define your Electronic Record
• Define approval process of Electronic Record
• Build a mechanism to record versioning for your
  Electronic Records

17
Oracle Security

• From the authentication standpoint, Oracles
  Single Sign-On (SSO) Server provides a scalable
  and extensible solution to address Web-based
  SSO.
• Oracle ID and password can be used as Electronic
  Signature.
  
• Use Oracle Profile to enforce password
  expiration, re-use control and complexity.
  
• Use Oracle Roles to control user access
• Oracle database instance login trigger can be
  used to monitor all logins.
  
• Time stamps must be stored with electronic
  signature.

18
Oracle9iAS Security Components
Oracle HTTP Server
OC4J
mod_ossl
mod_osso
JAAS
Client
Single Sign-On
Oracle Internet Directory
19
Oracle9iAS JAAS Provider Integration with OC4J
and SSO/OID
20
Oracle Profile
CREATE PROFILE NEWUSER" LIMIT CPU_PER_SESSI
ON DEFAULT CPU_PER_CALL DEFAULT CONNEC
T_TIME DEFAULT IDLE_TIME DEFAULT SESSI
ONS_PER_USER DEFAULT LOGICAL_READS_PER_SESSI
ON DEFAULT LOGICAL_READS_PER_CALL DEFAULT
PRIVATE_SGA DEFAULT COMPOSITE_LIMIT DEFA
ULT FAILED_LOGIN_ATTEMPTS 5 PASSWORD_L
OCK_TIME 90 PASSWORD_GRACE_TIME 1 PASS
WORD_LIFE_TIME .0006 PASSWORD_REUSE_MAX 10
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION
21
Logon Trigger
CREATE TRIGGER "SYSTEM"."LOGON_CHECK"
AFTER LOGON ON DATABASE Begin -- Limit access
-- Verify usage of tools that was used to
logon -- Insert into appl_audit_tables end
22
J2EE Platform Overview

• Open standard supported by a community process
• Backed by Big names like Oracle, IBM, Sun
• Architecture for Highly scaleable multi-tier
  enterprise applications
  
• Extends java promise for Write Once, Run
  Anywhere" portability
  

23
J2EE Platform Roles

• Product Provider supplier of container e.g.
  Oracle
  
• Tool Provider supplier of tools for development
  and packaging
  
• Application Developer
• Application Assembler
• Application Deployer
• System Administrator

24
Oracle9i Application Server Release 2

• Productive Development
• Complete J2EE, Web Services
• Lightweight J2EE Footprint
• Most Reliable Deployment
• Fast Application Server
• High Availability and Clustering
• Complete Management and Security
• 100 Standards Compliant
• J2EE 1.3, Web Services, SOAP, WSDL, UDDI, ebXML,
  RosettaNet, LDAP, SSL, XML ...

25
J2EE Architecture
Presentation JSP, Servlet, Custom Tags
Business Logic EJB, Java Classes
Database Enterprise Information System
JDBC,
SQLJ, JCA,
J2EE Services JNDI, JTA, JMS, JAAS, JAF, JavaMa
il, JAF, JAXP

26
Oracle9iAS Architecture
Oracle HTTP Server
AJP13
JNDI
Web Container
HTTP
JMS
AJP
mod_oc4j
JDBC
JTA
Client
JAAS
EJB Container
ORMI
J2C
JavaMail
ORMI
JAF
EJB Client
Oracle9iAS Containers for J2EE (OC4J)
27
Model View Controller (MVC)
28
Persistence Layer
29
Object-relational Impedance Mismatch
30
Oracle ADF Application Architecture
31
Oracle9iAS Integration
32
(No Transcript)
33
Summary

• Your software should differentiate between
  attestation and signature.
  
• You should define the context of the electronic
  record independent of the underlying database
  structures.
  
• You must link the attestation, or person who
  created, modified or deleted the record, to the
  correct revision of the record. This audit trail
  functionality is required.
• Design your electronic record around approval
  process
  
• Select your framework for J2EE
• Use existing tools to integrate and automate

34
A