Scientist working on Drug Discovery

GxP regulated industry assessments of SoftMax Pro Software

This document outlines references to 21 CFR Part 11 and EudraLex Annex 11 and how they apply to the implementation of SoftMax® Pro GxP Data Acquisition and Analysis Software in regulated environments.

What is Part 11?

Though Part 11 is not a mandate for the use of electronic or computerized systems, it allows the use of electronic records, safeguards the integrity of computerized systems, data, and the validity of electronic signatures. Most recently, the FDA enforces data integrity as a vital part of ensuring the safety of medical products for human and veterinary use. The FDA can exercise “enforcement discretion” in the areas of validation, audit trails, retention of records and record copying on electronic records.

It is appropriate for users who create, modify, or delete regulated records to review an audit trail as it reveals malicious intent, such as tampering with data and fabrication of results.

What is Annex 11?

Annex 11 is a guidance document that supplements the European Union’s GMP rules: EudraLex Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice which applies to any human and veterinary medicinal products manufactured or sold in the European Union.

This annex applies to all computerized systems used in GMP regulated activities and ensures computerized systems used in the manufacture of medicinal products have no impact to product quality or product safety.

In general, when a computerized system replaces a manual operation, Annex 11 ensures there are no additional risks.

While Annex 11 and Part 11 are mutually aligned with the goal of safe, validated computerized systems for drug and medical device manufacturing, their approach to this goal is different. Annex 11 is more a guideline and not a legal requirement, where Part 11 is fully enforceable under federal law.

Whose responsibility is it to validate the system?

A regulated customer, or those that manufacture food or drugs for human and veterinary consumption are required to comply to regulations. SoftMax Pro GxP Data Acquisition and Analysis Software, including GxP Admin Portal (Molecular Devices), is not subject to FDA regulatory requirements but can ensure their customers achieve their compliance to 21 CFR Part 11 and EudraLex Annex 11.

Annex 11 mentions a process owner, system owner, qualified person, and IT. On the customer side, it is the ‘system owner’ (usually IT management) or the ‘business process owner’ (usually lab managers) who interface with IT are ultimately responsible for validation. A validation team should be representative of multiple stakeholders.

Impact of compliance vs. non-compliance

Costs to validate multiple computerized systems can be significant and efforts must be carefully planned to identify resources, procurement and project expenses. Some organizations may enlist third parties to design and execute computerized system validation, but the responsibility for the validation effort and maintaining a compliant validated system cannot be delegated and remains with the regulated customer per regulations in 21 CFR Part 11 and EudraLex Annex 11.

Public record of judgements against pharmaceutical or independent/contract labs show that the cost of non-compliance is significant (can be in the millions of dollars) for lost productivity and revenue, costs for rework, and reputation with investors and customers.

Federal regulatory agencies have the authority to show up unannounced to conduct audits/investigations. If auditors find observations, they may issue verbal warnings or Form 483s. These can escalate into warning letters for more serious violations. These can lead to shutdown of manufacturing operations, or products may not be permitted for distributed within the United States.

Code of Federal Regulations (CFR)

The Code of Federal Regulations (CFR) is a codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government.

It is divided into 50 titles that represent broad areas subject to Federal regulation.

Title 21 of the CFR is reserved for rules regulated by the Food and Drug Administration (Dept. of Health and Human Services), the Drug Enforcement Administration (Dept. of Justice) and the Office of National Drug Control Policy.

The rules governing medicinal products in the European Union

Volume 4 of “The rules governing medicinal products in the European Union” contains guidance for the interpretation of the principles and guidelines of good manufacturing practices for medicinal products for human and veterinary use.

The GMP Guide is presented in three parts and supplemented with annexes that represent broad areas subject to Federal regulation.

GxP regulated industry assessments of SoftMax Pro Software
https://main--moleculardevices--hlxsites.hlx.page/sites/default/files/en/assets/white-paper/br/gxp-regulated-industry-assessments-of-softmax-pro-software.pdf

Table 1: Assessment of 21 CFR Part 11 Compliance for SoftMax Pro GxP Software.

Reference to 21 CFR Part 11

Molecular Devices

Products/Services

End User Operations
Subpart B – Electronic Records

§11.10 – Controls for Closed Systems

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include:

SoftMax Pro GxP Software has enhanced features that enforce data integrity in electronic records and electronic signatures that can be demonstrated through validation processes that include IQ/OQ testing.
It is the end user responsibility to develop business process and procedures to support computerized system applications in their regulated environment.
(a) Validation of the system to ensure accuracy, reliability, and consistent intended performance and the ability to discern invalid or altered records.
Molecular Devices Professional Services team of experts provide validation services to help end users achieve 21 CFR Part 11 compliance.
End users are required to validate their installation and can use the vendor’s comprehensive Validation Guide.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by agency.
SoftMax Pro GxP Software files can be properly configured to generate and report accurate analysis of data in electronic record files.
End users can review audit trails to trace user actions within the file to check for modifications that happened within the file.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
This requirement can be satisfied with careful design of system architecture with controlled access to the SQL database.
End users will establish internal business process with guidance for record retention, back-up, and data archival.
(d) Limiting system access to authorized individuals.
GxP Admin Portal software allows for configuration of user authentication, assignment of roles, and permissions to control and limit system access to the software and SQL database.
End users will establish internal business process with guidance for system administrators to manage user accounts, role permissions to control access to the SQL database and software.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Each SoftMax Pro GxP Software data document file has its own audit trail.

The GxP Admin Portal software maintains system audit trail information that reports end user activities within the software and database.

End users will establish internal business process with guidance for audit trail review and reporting of acceptable results.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
SoftMax Pro GxP Software features a new document workflow which has built-in checks to ensure that steps are carried out in sequence and documented in the data document audit trail.
End users will establish internal business process with guidance for steps and events that occur outside the software.
(g) Use of authority checks to enforce permitted sequencing of steps and events, as appropriate.
User authentication and access permissions configured within the GxP Admin Portal software provide this functionality.
End users will establish internal business process with guidance for system administrators to manage access to the SQL database and software.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
SoftMax Pro GxP Software document audit trails are available. System audit trail is available in GxP Admin Portal software.
It is the end user responsibility to define device checks or audit trail review processes as appropriate.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
Not applicable
End users will establish internal business process with guidance on training requirements.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
End users will establish internal business process to satisfy this requirement.

(k) Use of appropriate controls over systems documentation including:

  1. Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
  2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
End users will establish internal business process to satisfy this requirement.

§11.50 – Signature manifestations

(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

  1. The printed name of the signer;
  2. The date and time when the signature was executed; and
  3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

Statements and document audit trails are available in SoftMax Pro GxP Software.

System audit trail is available in GxP Admin Portal software.

It is the end user responsibility to establish internal business process for data and audit trail review.

§11.70 – Signature record/linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

SoftMax Pro GxP Software is designed that electronic signatures are linked directly to its respective electronic record and cannot be decoupled from the record itself.
End users will establish internal business process for guidance on electronic signatures.
Subpart C – Electronic Signatures

§11.100 – General Requirements

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

SoftMax Pro GxP Software is designed to enforce two different reviewers to sign two statements.
End users will establish internal business process for guidance on electronic signature usage and security.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
User authentication and access permissions are configured within the GxP Admin Portal software.
End users will establish internal business process for guidance on electronic signature usage and security.

§11.200 – Electronic Signature components and controls

(a) Electronic signatures that are not based upon biometrics shall:

  1. Employ at least two distinct identification components such as an identification code and password.
    1. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
    2. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
Electronic signature functionality requires the entry of both username and password. Both must be re-entered for each subsequent application of an electronic signature.
(2) Be used only by their genuine owners.
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
GxP Admin Portal software allows for password configuration and maintenance.

§11.300 – Controls for Identification codes/passwords

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

User IDs and passwords are configured in the GxP Admin Portal software.
End users will establish internal business process for guidance on password requirements.
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
GxP Admin Portal software will not allow for identical usernames to be created.
End users will establish internal business process for guidance on password requirements.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
Password aging can be configured in the GxP Admin Portal software.
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
User access can be deactivated and passwords can be reset in the GxP Admin Portal software. Token access is not used by SoftMax Pro GxP Software nor can it be configured in the GxP Admin Portal software.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
The GxP Admin Portal software can be configured to lock a user account after a defined number of unsuccessful login attempts, and be captured in a System Audit Trail report.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
Token access is not used by SoftMax Pro GxP Software nor can it be configured in the GxP Admin Portal software.
Not applicable

Table 2: Assessment of EudraLex Volume 4 (Annex 11) Compliance for SoftMax Pro GxP Software.

Reference to EMA Annex 11 General

Molecular Devices

Products/Services

End User Operations

1. Risk management

Risk management should be applied throughout the lifecycle of the computerized system, taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.

Not applicable
It is the end user responsibility to perform risk management activities related to their computerized system.

2. Personnel

There should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.

It is the end user responsibility to identify these personas.

3. Suppliers and Service Providers

3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.

Molecular Devices provides customized software validation services that could include automated processes.

Molecular Devices certified Field Service Engineers (FSEs) provide IQ/OQ or PM/OQ services for plate readers.

It is the end user responsibility to establish internal business process for guidance and requirements for suppliers and service providers based on their risk assessment of computerized systems.

4. Validation

4.2 Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.

Molecular Devices certified Field Service Engineers (FSEs) provide a signed report of the completed software IQ/OQ.
It is the end user responsibility to maintain validation documentation to support this requirement.
4.4 User Requirements Specifications should describe the required functions of the computerized system and be based on documented risk Assessment and GMP impact. User requirements should be traceable throughout the life-cycle.
Not applicable
It is the end user responsibility to maintain their own User Requirements Specifications to support this requirement.
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.
It is the end user responsibility to ensure their quality management system supports this requirement.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy.

SoftMax Pro GxP Software has built-in protocol files that work with the SpectraTest Validation plates.

SoftMax Pro GxP Software allows for customizable protocol files.

End users can create/modify protocol files based on their test method and assay acceptability requirements.

7. Data Storage

7.1 Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.

SoftMax Pro GxP Software introduces controlled access to a secure SQL database for storage of data.
It is the end user responsibility to establish internal business process for guidance on data storage procedures and requirements.
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.
Not applicable
It is the end user responsibility to establish internal business process for guidance on data back-up procedures and requirements.

8. Printouts

8.1 It should be possible to obtain clear printed copies of electronically stored data.

SoftMax Pro GxP Software allows the printing of sections, including the audit trail in PDF format.
It is the end user responsibility to establish internal business process for guidance on printing of electronic files.
8.2 For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.
SoftMax Pro GxP Software allows the printing of sections, including the audit trail in PDF format.
It is the end user responsibility to establish internal business process for guidance on printing of electronic files.

9. Audit Trails

Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data The reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

GxP Admin Portal software features the system audit trail which can generate a printed report.
It is the end user responsibility to establish internal business process for guidance on audit trails and reviews.

10. Change and configuration management

Any changes to a computerized system including system configurations should only be made in a controlled manner in accordance with a defined procedure.

Not applicable
It is the end user responsibility to establish internal business process with guidance for change control requirements.

11. Periodic evaluation

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports.

It is the end user responsibility to establish internal business process with guidance to fulfill this requirement.

12. Security

12.1 Physical and/or logical controls should be in place to restrict access to computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

User IDs and passwords are configured in the GxP Admin Portal software.

User access can be deactivated and passwords can be reset in the GxP Admin Portal software. Token access is not used by SoftMax Pro GxP Software nor can it be configured in the GxP Admin Portal software.

It is the end user responsibility to establish internal business process for guidance on password requirements.
12.3 Creation, change, and cancellation of access authorizations should be recorded.
GxP Admin Portal software allows the administration of user accounts/ passwords and all activities thereof, are captured in the system audit trail.
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.
SoftMax Pro GxP Software and GxP Admin Portal software provide robust audit trail capabilities that fulfill this requirement.
It is the end user responsibility to establish internal business process for appropriate review of audit trails.

14. Electronic Signature

Electronic records may be signed electronically. Electronic signatures are expected to:

  1. have the same impact as hand-written signatures within the boundaries of the company
  2. be permanently linked to their respective record
  3. include the time and date that they were applied
Statements and audit trail features of SoftMax Pro GxP Software satisfy this requirement.
It is the end user responsibility to establish internal business process for data and audit trail review.

16. Business Continuity

For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.

Not applicable
It is the end user responsibility to establish internal business process for business continuity requirements.

17. Archiving

Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.

SoftMax Pro GxP Software introduces controlled access to a secure SQL database for storage of data.
It is the end user responsibility to establish internal business process for data archival requirements.

Proven GxP solutions to assure data integrity and compliance

Our mission at Molecular Devices is to assist our customers in achieving compliance in GLP (good laboratory practices) and GMP (good manufacturing practice) regulated labs. We have developed proven GxP compliance solutions with microplate detection systems and software. Combined with installation and validation services along with IQ/OQ support, our solutions assure data integrity.

Recent posts