Presentation on theme: "Electronic Records, 21 CFR Part 11 and Oracle 9i Shon Naeymirad"— Presentation transcript:
1Electronic Records, 21 CFR Part 11 and Oracle 9i Shon Naeymirad Principal Analyst/DBAAbbott Laboratories
2Agenda 21 CFR Part 11 Electronic Record Electronic Signature How to build the final rule of 21 CFR Part 11J2EE Platform OverviewOracle Application Development Framework (ADF)
321 CFR Part 11 : Electronic Records; Electronic Signatures 1991, members of the pharmaceutical industry met with the agency to determine how they could accommodate paperless record systems under the current good manufacturing practice (CGMP) regulations in parts 210 and 211 (21 CFR parts 210 and 211). FDA created a Task Force on Electronic Identification/Signatures to develop a uniform approach by which the agency could accept electronic signatures and records in all program areas.1992, report, a task force subgroup, the Electronic Identification/Signature Working Group, recommended publication of an advance notice of proposed rulemaking (ANPRM) to obtain public comment on the issues involved.1994. A complete discussion of the options considered by FDA and other background information on the agency’s policy on electronic records and electronic signatures can be found in the ANPRM and the proposed rule.1997, The final rule provides criteria under which FDA will consider electronic records to be equivalent to paper records, and electronic signatures equivalent to traditional handwritten signatures. Part 11 (21 CFR part 11) applies to any paper records required by statute or agency regulations and supersedes any existing paper record requirements by providing that electronic records may be used in lieu of paper records. Electronic signatures which meet the requirements of the rule will be considered to be equivalent to full handwritten signatures, initials, and other general signings required by agency regulations.DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration21 CFR Part 11 [Docket No. 92N–0251] RIN 0910–AA29Electronic Records; Electronic Signatures
4Paper Record Blank Form = context Data = content Form + Data = record Complaint FormReporter Name:Event Description:Event Date:Blank Form = contextReporter Name: Jim SmithEvent Description: Patient InfectionEvent Date: January 10, 2001Data = contentForm + Data = record
6Database Record Data Definition Complaint TableComplaint ID Number(10) Unique ID for complaint tableReporter ID Number(10) Foreign Key to Reporter TableComplaint Desc Varchar2(4000) DescriptionComplaint Date Date Date of CallDays Open Number(6) Calculated Field
9Electronic Records Electronic Record Context = Reporter.Name Complaint.Complaint DescriptionComplaint.DateElectronic Record Content =Jim SmithPatient InfectionJanuary 10, 2001Electronic Record: Context + Content =Reporter.Name: Jim SmithComplaint.Complaint Description: Patient InfectionComplaint.Date: January 10, 2001
10Paper vs. Electronic Records Complaint FormElectronic Record Context =Reporter.NameComplaint.Complaint DescComplaint.Date*Record definition includes 2 tables and 3 fields but excludes 8 fields in those tables plus all fields in the address table.Electronic Record = Paper RecordReporter.Name: Jim SmithComplaint.Complaint Desc: Patient InfectionComplaint.Date: January 10, 2001Reporter Name: Jim SmithEvent Description: Patient InfectionEvent Date: January 10, 2001
11Key PointYou must define the context of the electronic record (i.e., the collection of fields and tables that comprise the record) independent of the underlying database structures.Otherwise, you risk the interpretation that all information in the database is part of the “electronic record.”As with any definition we need to store that definition so it can be applied consistently and referred to when is needed.
12Attestation vs. Signature Attestation, simply stated, is attesting to the fact that a person changed a record, and links the record to the person who changed it, and when the change occurred.A signature, on the other hand, implies approval, acceptance, or authorization (like signing a check, to authorize your bank to release funds).Key Point:Your software should differentiate between attestation and signature since you need attestation on all required records but signatures only on certain records as defined by predicate rule.“Don’t allow IT to define what records to apply signatures.”
14UTCEstablish a procedure for determining the local date and time from a time stamp based on UTC, Coordinated Universal Time.Coordinated Universal Time replaces Greenwich Mean Time to represent the Earth's prime meridian (0 degrees longitude). UTC is based upon the atomic time scale that is commonly referred to as GMT. In 1970 the International Telecommunication Union agreed upon a single acronym for use in all languages to be UTC.Oracle server date and time must be set to UTC.
15How to build the final rule of 21 CFR Part 11 System Understand system requirementsDesign good data modelDefine security rolesEnforce password changeBuild Audit Trail for all tablesSelect your frameworkAutomate your developmentPerformance tuning
16Build Audit Trail Create history table for all tables Use database insert, update, delete triggers to build history recordsRecord user, server date and timeDefine your Electronic RecordDefine approval process of Electronic RecordBuild a mechanism to record versioning for your Electronic Records
17Oracle SecurityFrom the authentication standpoint, Oracle’s Single Sign-On (SSO) Server provides a scalable and extensible solution to address Web-based SSO.Oracle ID and password can be used as Electronic Signature.Use Oracle Profile to enforce password expiration, re-use control and complexity.Use Oracle Roles to control user accessOracle database instance login trigger can be used to monitor all logins.Time stamps must be stored with electronic signature.
21Logon Trigger CREATE TRIGGER "SYSTEM"."LOGON_CHECK" AFTER LOGON ON DATABASEBegin-- Limit access-- Verify usage of tools that was used to logon-- Insert into appl_audit_tablesend;
22J2EE Platform Overview Open standard supported by a community process Backed by Big names like Oracle, IBM, SunArchitecture for Highly scaleable multi-tier enterprise applicationsExtends java promise for “Write Once, Run Anywhere" portability
23J2EE Platform RolesProduct Provider – supplier of container e.g. OracleTool Provider – supplier of tools for development and packagingApplication DeveloperApplication AssemblerApplication DeployerSystem Administrator
24Oracle9i Application Server Release 2 Productive DevelopmentComplete J2EE, Web ServicesLightweight J2EE FootprintMost Reliable DeploymentFast Application ServerHigh Availability and ClusteringComplete Management and Security100% Standards CompliantJ2EE 1.3, Web Services, SOAP, WSDL, UDDI, ebXML, RosettaNet, LDAP, SSL, XML ...
33SummaryYour software should differentiate between attestation and signature.You should define the context of the electronic record independent of the underlying database structures.You must link the attestation, or person who created, modified or deleted the record, to the correct revision of the record. This audit trail functionality is required.Design your electronic record around approval processSelect your framework for J2EEUse existing tools to integrate and automate