21 CFR Part 11 中关于LIMS对电子签名和记录的要求

21 CFR Part 11 LIMS Requirements Electronic signatures and records
21 CFR Part 11 中关于LIMS对电子签名和记录的要求
1. Electronic Signatures电子签名
UR-1: Electronic signatures must be unique to each individual. Each user must have a unique Full Name. Each user must have a unique user id.
UR-1: 电子签名必须对每个人都是独一无二的。

每个用户必须有一个惟一的全名。

每个用户必须拥有唯一的用户ID。

UR-2: The system must verify that an individual has the authority to electronically sign a record before allowing them to do so.
UR-2: 该系统必须验证一个人在允许他们这样做之前，有权以电子方式签署记录。

UR-3: The system will not allow electronic signatures to be reused or reassigned to anyone other than the original owner.
UR-3: 该系统将不允许电子签名被重新使用或重新分配给除原所有者以外的任何人。

UR-4: The meaning of the signature (author, reviewer, or approver) must be displayed
UR-4: 必须显示签名的含义（作者、审稿人或审批人）
a. at the point of signing;
a. 在签字的时候
b. on the human readable copy of the associated record (screen or printed);
b. 在人类可读的相关记录副本(屏幕或打印)
c. on the electronic copy of the associated recor
d.
c. 在相关记录的电子副本上
UR-5: Maintain electronic records and linked signatures for the life of the electronic record.
UR-5: 在电子记录的生命周期内维护电子记录和连接的签名
UR-6: Electronic signature shall be able to show the signer’s full printed name, to show the time and date of execution.
UR-6: 电子签名应能显示签名者的全名，并显示执行时间和日期。

UR-7: Electronic signature are non-removable, non-modifiable and an integral part of the electronic records.
UR-7: 电子签名是固定的，不可修改的，是电子记录的组成部分。

UR-8: At a minimum, Electronic signatures employ two distinct components e.g. user ID & password.
UR-8: 至少，电子签名使用了两个不同的组件，例如用户ID和密码。

UR-9: The system shall be able to require at least one electronic signature component to be
re-applied during a series of signings in a single controlled session.
UR-9: 在一系列信号在单个受控会话时, 该系统要求至少应能一个电子签名组件。

UR-10: The system shall be able to require all electronic signature components to be re-applied when a series of signings are not in a single controlled session.
UR-10: 在一系列信号不在单个受控会话时, 该系统应能要求重新应用所有电子签名组件。

UR-11: The System shall maintain an Electronic Signature activity log in the audit trail.
UR-11: 系统应在审计跟踪中维护电子签名活动日志。

The log shall track the history of all Electronic Signatures activities applied to each record.
日志将跟踪应用于每个记录的所有电子签名活动的历史记录。

This should also include the any previously entered data in the event a record is reset, data
re-entered and a signature reapplied and will not obliterate the journal of previously entered data.
这也应该包括在事件的记录被重置、数据重新输入和重新应用的签名的任何先前输入的数据，并且不会删除先前输入的数据的日志。

UR-12: Handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
UR-12: 签署电子记录的手写签名应与他们各自的电子记录相联系，以确保签名不能被删除、复制或以普通方式被转移以伪造电子记录。

UR-13: The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and
signature falsification.
UR-13: 建立并遵守书面政策，使个人对在他们的电子签名下发起的行动负责，以防止记录和签名的伪造
2. Audit Trails审计追踪
UR-14: 11.10 (b) - The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency.
UR-14：11.10(b) - 能够在人类可读和电子形式中生成准确和完整的记录副本，以供机构检查、审查和复制。

UR-15: 11.10(e) - Use of secure, computer generated, time-stamped audit trails with a source IP address to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
UR-15：11.10(e) - 使用安全的、计算机生成的、有时间戳的审计跟踪和一个源IP地址，以独立地记录创建、修改或删除电子记录的操作条目和操作的日期和时间。

Record the changes that will not obscure previously recorded information. The audit trail is to be retained (archived) for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
记录那些不会掩盖先前记录的信息的变化。

审计追踪将保留(存档)一段时间，至少需要为电子记录所需要的时间，并可用于机构审查和复制。

The system administrator should not be able to ‘switch off’ the audit trail function without higher authorisation. Recovery of the audit trail in human readable form from archived storage must also be possible.
系统管理员不应该在没有更高授权的情况下“关闭”审计跟踪功能。

从归档存储中恢复人类可读形式的审计跟踪也必须是可能的。

The system should be capable of detecting invalid electronic records prior to data access.
系统应该能够在数据访问之前检测到无效的电子记录。

The system must be capable of audit trailing all GMP data in such a way that the original value is not overwritten and the change is linked through time/date and user ID to the modifier.
系统必须能够以这样一种方式对所有GMP数据进行审计跟踪，以使原始值不被覆盖，而更改则通过时间/日期和用户ID与修改者联系起来。

Audit Trail additional information from 21 CFR Part 11 guidance states:
21 CFR第11部分中审核跟踪的附加信息：
"The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements related to computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and
any corresponding requirement in §11.30)".
“该机构打算行使执法自由裁量权有关特定的第11部分需求与电脑有关，带时间戳的审计跟踪(§11.10(e)，(k)(2)和任何相应的需求在§11.30)”。

"Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries".
“人员必须遵守所有适用的规则需求相关的文档，例如，日期(例如§58.130(e))，时间，或事件的顺序，以及任何要求确保更改记录并不掩盖之前的条目”。

"We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity".
“我们建议您根据需要遵守规则的要求、合理的和有记录的风险评估，以及确定对产品质量、安全性和记录完整性的潜在影响，以决定是否采用审核跟踪或其他适当措施。

”"Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation".
“当用户期望在正常的操作过程中创建、修改或删除受监管的记录时，审计跟踪尤其合适。

”Audit trail is a requirement of some FDA predicate rules, for example 21 CFR Part 58 (GLP).
审计跟踪是一些FDA的要求，例如21 CFR第58部分(GLP)。

Others don’t specifically mention audit trail but require changes to data to be recorded, for example 21 CFR Part 211 (drug cGMP) states in Paragraph 194b: "Complete records shall be maintained of any modification of an established method employed in testing.
Such records shall include the reason for the modification and data to verify that the modification produced results that are at least as accurate and reliable for the material being tested as the established method".
有些并没有特别提及审计追踪，而是要求对数据更改进行记录，例如，在21个CFR第211部分(药物cGMP) 的第194b段中：“在测试中使用已建立的方法，任何修改都应保留完整的记
录。

这些记录应包括修改数据的原因，以证实修改产生的结果至少和已确定的方法一样准确可靠。

”
If the audit trail is not generated by the computer it should be generated manually, as a minimum. A record’s integrity is a basic requirement of regulations and users of computer systems must be able to demonstrate this, especially for critical records.
如果审计跟踪不是由计算机生成的，至少应该是手工生成的。

记录的完整性是法规的基本要求，计算机系统的用户必须能够证明这一点，特别是对于关键记录。

#3 above mentions “other appropriate measures”. This means you can use other techniques to demonstrate record integrity, for example to demonstrate file integrity through hash values.
#3 上面提到“其他适当措施”。

这意味着您可以使用其他技术来证明记录完整性，例如通过散列值证明文件完整性。

#4 is important as it talks about manual interaction with the system. It is difficult to demonstrate record integrity if users sit in front of a computer and can change data on the screen if there is no electronic audit trail.
#4 当它谈到与系统的手动交互时很重要。

如果用户坐在电脑前，如果没有电子审计跟踪，就很难证明记录的完整性。

This becomes really critical if a change of such data can have an impact on critical records, for example, accuracy of product test results.
如果这些数据的变化对关键记录有影响，例如，产品测试结果的准确性，这就变得非常关键。

In this case the system should have a built-in electronic audit trail and the function should be validated. This is one example where discretion would not be exercised “as explained in this guidance”.
在这种情况下，系统应该有一个内置的电子审计跟踪，并且应该对此功能进行验证。

如本指南所述，这是一个自由裁量权不会被行使的例子。

3. Control of Identification and Password身份和密码的控制
UR-16: Password use must expire after a predetermined length of time.
UR-16：密码使用必须在预定的时间后过期。

UR-17: The system must require the password to contain a combination of at least 6 characters with at least one letter and one number.
UR-17：系统必须要求密码包含至少6个字符的组合，至少有一个字母和一个数字。

UR-18: The system must prevent the reuse of the specified number of previous passwords
UR-18：系统必须防止重复使用指定的先前密码的数量
UR-19: The system must force users to immediately change their passwords after initial issuance or after their passwords have been reset.
UR-19：系统必须强制用户在初次发布或密码重置后立即更改密码。

UR-20: The system must allow the user to change their password if they feel it has been compromised.
UR:20：系统必须允许用户修改密码，如果他们觉得账号已经被盗用了。

UR-21: User passwords can only be reset by the System Administrator after account has been locked out or user has forgotten their password.
UR:21：用户密码只能由系统管理员重新设置，当账号被锁定或者用户忘记了密码。

UR-22: User’s account must be locked out if three consecutive failed logon attempts occur.
UR:22：如果三次连续尝试登录都失败，用户的帐户必须被锁定。

UR-23: If account is locked out the system must send an account locked out message to the System Administrator immediately.
UR:23：如果账户被锁定，系统必须立即向系统管理员发送一条消息。

UR-24: The system must use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
UR-24：系统必须使用权限检查，确保只有授权的个人才能使用该系统，电子签署记录，访问操作或计算机系统输入或输出设备，改变记录，或在手边执行操作。

Verification of users, Administrators, Application managers, ‘super users’, etc. and their access to various functionalities of the program will be validated. The administrator of the system should have the capability to add or delete access, or increase or decrease the level of functionality to the database for users.
验证用户、管理员、应用程序管理员、“超级用户”等，以及他们对程序的各种功能的访问。

系统管理员应该有能力添加或删除访问，或增加或降低用户数据库的功能级别。

UR-25: Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
UR-25：使用设备(如终端)检查以确定数据输入或操作指令源的有效性。

4. Data Retention数据保存
UR-26: The system data must be able to be periodically backed up
UR-26：系统数据必须能够定期备份
UR-27: The system data must be able to be restored
UR-27：系统数据必须能够还原
UR-28: The data files are protected against intentional or accidental modification or deletion.
UR-28：数据文件受到保护，不受有意或意外的修改或删除。

The protection of records to enable their accurate and ready retrieval throughout the records retention period. Restrict deletion of records to administrator access level. This deletion should be audit trailed and this should include backup. The system must be capable of secure backup
& recovery to durable media.
对记录的保护使其在记录保留期间能够准确和随时检索。

将记录的删除限制到管理员访问级别。

这个删除应该被跟踪，还应该包括备份。

系统必须能够安全的备份和恢复到持久的媒体。

UR-29: Electronic records will need to be able to be restored at any time during the designated retention of the record
UR-29：电子记录需要能够在指定保留记录期间随时恢复
UR-30: The data files are written to a highly secure database, directory or to an unalterable media
UR-30：数据文件被写入一个高度安全的数据库、资料录或不可更改的媒体
5. Security安全
UR-31: Security procedures and controls shall be designed and implemented to include:
UR-31：应设计和实施以下的安全程序和控制，包括:
1. System access shall be limited to authorized individuals. - (Physical access)
1.系统访问权限仅限于授权的个人。

(物理访问)
2. Operational system checks shall enforce the proper sequencing of steps in a process (as appropriate).
2. 操作系统检查应对过程中的步骤进行适当的排序(视情况而定)。

UR-32: Authority checks shall ensure that only authorized individuals can:
UR-32：权限检查应确保只有授权的个人才能：
1. Use the system. (Logical access)
1. 使用这个系统。

(逻辑访问)
2. Access the operation or computer system input or output device.
2. 访问操作或计算机系统输入或输出设备。

3. Alter a record.
3. 改变一个记录。

4. Perform the specified operation.
4. 执行指定的操作。

Limiting system access to authorized individuals.
限制授权人的系统访问。

System access through multi-tiered user access levels. Restrict access to various functions of the system to authorize individuals who have been assigned the appropriate permissions.
系统通过多层用户访问级别访问。

限制已分配适当权限的授权人对系统的各种功能的访问。

UR-33: Device or terminal checks shall determine validity of the source of input or operation (as appropriate).
UR-33：设备或终端检查应确定输入或操作源的有效性(视情况而定)。

6. Personnel Qualification人员资格鉴定
UR-34: Determination that the following persons have the education, training, and experience to perform their assigned tasks:
UR-34：确定下列人员有教育背景、接受过培训和有经验的完成分配的任务：
1. Developer(s) of the computerized system.
1.计算机化系统的开发人员。

2. Maintainer(s) of the computerized system.
2. 计算机化系统的维护人员。

3. User(s) of the computerized system.
3. 计算机化系统的用户。

A determination is documented that people who develop, maintain, or use electronic record/electronic signature systems have the education, training and experience to perform their assigned tasks.
有记录表明，开发、维护或使用电子记录/电子签名系统的人有教育、培训和经验来执行分配给他们的任务。

Training of users of the system will be documented in individual training records, as well as their level of access.
系统用户的培训将记录在个人培训记录中，以及他们的访问权限。

7. System Documentation Controls系统文档控制
UR-35: Establishment and use of appropriate controls over systems documentation including: UR-35：建立和使用适当的控制系统文件，包括：
1. Adequate controls over the documentation for system operation and maintenance, to include:
1. 对系统操作和维护文档有足够的控制，包括：
a. Distribution of documentation.
a. 发布文档。

b. Access to documentation.
b. 访问文档。

c. Use of documentation.
c. 使用文档。

UR-36: Revision and change control procedures to maintain an audit trail that documents
the time-sequenced development and modification of the systems documentation.
UR-36：修订和变更控制程序，以维护审计追踪对系统文档的时间顺序开发和修改的记录。

8. Control of System Management and Configuration控制系统的管理和配置
UR-37: The system must be validated to cGMP and 21CFR Part 11 requirements prior to being put into use in a production environment.
UR-37：在生产环境中投入使用之前，必须将系统按cGMP和21CFR第11部分的要求进行验证。

Validation of systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.
验证系统确保有准确性、可靠性、一致的预期性能和识别无效或更改记录的能力。

The system should be capable of detecting invalid electronic records prior to data access.
系统应该能够在数据存取之前检测到无效的电子记录。

The system must be capable of audit trailing all GMP data in such a way that the original value is not overwritten and the change is linked through time/date and user ID to the modifier.
系统必须能够以这样一种方式对所有GMP数据进行审计追踪，以使原始值不被覆盖，而更改则通过时间/日期和用户ID与修改者联系起来。

UR-38: Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
UR-38：使用操作系统检查，在适当的情况下强制执行步骤和事件的排序，视情况而定。

The system will be constructed such that the next step in the workflow process will not be permitted until all the (minimum) required information is entered by the user.
系统将被构建成这样，在用户输入所有必需的信息之前，工作流过程中的下一个步骤是不被允许的。

Similarly, if a follow-up has lapsed, the system administrator will be informed.
类似地，如果后续操作失效，系统管理员将得到通知。

本文内容来自于《21 CFR Part 11 LIMS Requirements-Electronic signatures and records》版权归原作者所有。

本文由公众号AnalyticalLab整理翻译，仅供交流，切勿作为行动依据！。