Electronic Records,
21 CFR Part 11 and Oracle 9i
Shon Naeymirad
Principal Analyst/DBA
Abbott Laboratories
Agenda






21 CFR Part 11
Electronic Record
Electronic Signature
How to build the final rule of 21 CFR Part 11
J2EE Platform Overview
Oracle Application Development Framework (ADF)
21 CFR Part 11 :
Electronic Records; Electronic Signatures
• 1991, members of the pharmaceutical industry met with the agency to determine how they
could accommodate paperless record systems under the current good manufacturing practice
(CGMP) regulations in parts 210 and 211 (21 CFR parts 210 and 211). FDA created a Task
Force on Electronic Identification/Signatures to develop a uniform approach by which the
agency could accept electronic signatures and records in all program areas.
• 1992, report, a task force subgroup, the Electronic Identification/Signature Working Group,
recommended publication of an advance notice of proposed rulemaking (ANPRM) to obtain
public comment on the issues involved.
• 1994. A complete discussion of the options considered by FDA and other background
information on the agency’s policy on electronic records and electronic signatures can be
found in the ANPRM and the proposed rule.
• 1997, The final rule provides criteria under which FDA will consider electronic records to be
equivalent to paper records, and electronic signatures equivalent to traditional handwritten
signatures. Part 11 (21 CFR part 11) applies to any paper records required by statute or
agency regulations and supersedes any existing paper record requirements by providing that
electronic records may be used in lieu of paper records. Electronic signatures which meet the
requirements of the rule will be considered to be equivalent to full handwritten signatures,
initials, and other general signings required by agency regulations.
DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration
21 CFR Part 11 [Docket No. 92N–0251] RIN 0910–AA29
Electronic Records; Electronic Signatures
Paper Record
Complaint Form
Blank Form = context
Reporter Name: Jim Smith
Event Description: Patient Infection
Data = content
Event Date: January 10, 2001
Form + Data = record
Database Records
Database Record Data Definition
Complaint Table
Complaint ID
Number(10)
Unique ID for complaint table
Reporter ID
Number(10)
Foreign Key to Reporter Table
Complaint Desc
Varchar2(4000)
Description
Complaint Date
Date
Date of Call
Days Open
Number(6)
Calculated Field
Electronic Record - Context
Electronic Record - Content
Electronic Records
Electronic Record Context =
Reporter.Name
Complaint.Complaint Description
Complaint.Date
Electronic Record Content =
Jim Smith
Patient Infection
January 10, 2001
Electronic Record: Context + Content =
Reporter.Name: Jim Smith
Complaint.Complaint Description: Patient Infection
Complaint.Date: January 10, 2001
Paper vs. Electronic Records
Complaint Form
Electronic Record Context =
Reporter.Name
Reporter Name: Jim Smith
Event Description: Patient Infection
Complaint.Complaint Desc
Complaint.Date
*Record definition includes 2 tables and 3
fields but excludes 8 fields in those tables plus
all fields in the address table.
Event Date: January 10, 2001
Electronic Record = Paper Record
Reporter.Name: Jim Smith
Complaint.Complaint Desc: Patient Infection
Complaint.Date: January 10, 2001
Key Point
You must define the context of the electronic record (i.e.,
the collection of fields and tables that comprise the record)
independent of the underlying database structures.
Otherwise, you risk the interpretation that all information in
the database is part of the “electronic record.”
As with any definition we need to store that definition so it can be applied
consistently and referred to when is needed.
Attestation vs. Signature
Attestation, simply stated, is attesting to the fact that a person
changed a record, and links the record to the person who
changed it, and when the change occurred.
A signature, on the other hand, implies approval, acceptance, or
authorization (like signing a check, to authorize your bank to
release funds).
Key Point:
Your software should differentiate between attestation and
signature since you need attestation on all required records but
signatures only on certain records as defined by predicate rule.
“Don’t allow IT to define what records to apply signatures.”
Time Zone
UTC
• Establish a procedure for determining the local date and
time from a time stamp based on UTC, Coordinated
Universal Time.
• Coordinated Universal Time replaces Greenwich Mean
Time to represent the Earth's prime meridian (0 degrees
longitude). UTC is based upon the atomic time scale
that is commonly referred to as GMT. In 1970 the
International Telecommunication Union agreed upon a
single acronym for use in all languages to be UTC.
• Oracle server date and time must be set to UTC.
How to build the final rule of 21 CFR Part 11 System








Understand system requirements
Design good data model
Define security roles
Enforce password change
Build Audit Trail for all tables
Select your framework
Automate your development
Performance tuning
Build Audit Trail
 Create history table for all tables
 Use database insert, update, delete triggers to
build history records
 Record user, server date and time
 Define your Electronic Record
 Define approval process of Electronic Record
 Build a mechanism to record versioning for
your Electronic Records
Oracle Security
• From the authentication standpoint, Oracle’s Single
Sign-On (SSO) Server provides a scalable and
extensible solution to address Web-based SSO.
• Oracle ID and password can be used as Electronic
Signature.
• Use Oracle Profile to enforce password expiration,
re-use control and complexity.
• Use Oracle Roles to control user access
• Oracle database instance login trigger can be used
to monitor all logins.
• Time stamps must be stored with electronic
signature.
Oracle9iAS Security Components
Oracle HTTP
Server
OC4J
mod_ossl
Client
mod_osso
Single
Sign-On
JAAS
Oracle
Internet
Directory
Oracle9iAS JAAS Provider Integration with OC4J and SSO/OID
Oracle Profile
CREATE PROFILE “NEWUSER"
LIMIT CPU_PER_SESSION DEFAULT
CPU_PER_CALL DEFAULT
CONNECT_TIME DEFAULT
IDLE_TIME DEFAULT
SESSIONS_PER_USER DEFAULT
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL DEFAULT
PRIVATE_SGA DEFAULT
COMPOSITE_LIMIT DEFAULT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 90
PASSWORD_GRACE_TIME 1
PASSWORD_LIFE_TIME .0006
PASSWORD_REUSE_MAX 10
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION
Logon Trigger
CREATE TRIGGER "SYSTEM"."LOGON_CHECK"
AFTER LOGON ON DATABASE
Begin
-- Limit access
-- Verify usage of tools that was used to logon
-- Insert into appl_audit_tables
end;
J2EE Platform Overview
 Open standard supported by a community
process
 Backed by Big names like Oracle, IBM, Sun
 Architecture for Highly scaleable multi-tier
enterprise applications
 Extends java promise for “Write Once, Run
Anywhere" portability
J2EE Platform Roles
 Product Provider – supplier of container e.g.
Oracle
 Tool Provider – supplier of tools for
development and packaging
 Application Developer
 Application Assembler
 Application Deployer
 System Administrator
Oracle9i Application Server
Release 2
 Productive Development
–
–
Complete J2EE, Web Services
Lightweight J2EE Footprint
 Most Reliable Deployment
–
–
–
Fast Application Server
High Availability and Clustering
Complete Management and Security
 100% Standards Compliant
–
J2EE 1.3, Web Services, SOAP, WSDL, UDDI,
ebXML, RosettaNet, LDAP, SSL, XML ...
J2EE Architecture
Presentation
JSP,
Servlet,
Custom Tags
Business
Logic
EJB,
Java Classes
J2EE Services
JNDI, JTA, JMS, JAAS, JAF,
JavaMail, JAF, JAXP
Database &
Enterprise
Information
System
JDBC,
SQLJ,
JCA,
Oracle9iAS Architecture
HTTP
Oracle HTTP
Server
AJP
mod_oc4j
A
J
P
1
3
JNDI
Web
Container
JMS
JDBC
JTA
Client
JAAS
ORMI
EJB Client
O
R
M
I
EJB
Container
J2C
JavaMail
JAF
Oracle9iAS Containers for J2EE (OC4J)
Model View Controller (MVC)
Persistence Layer
Object-relational Impedance Mismatch
Factor
J2EE
Relational Databases
Logical Data
Representation
Objects, Methods, Inheritance
Tables, SQL, stored procedures
Scale
Hundreds of megabytes
Gigabytes, terabytes
Relationships
Memory references
Foreign keys
Uniqueness
Internal object id
Primary keys
Key Skills
Java development, object
Modeling
SQL, Stored Procedures, data
Management
Tools
IDE, Source code
management, Object Modeler
Schema designer, query
manager, performance
profilers, database
Configuration
Oracle ADF Application Architecture
Oracle9iAS Integration
Summary

Your software should differentiate between attestation and
signature.

You should define the context of the electronic record
independent of the underlying database structures.

You must link the attestation, or person who created, modified or
deleted the record, to the correct revision of the record. This
audit trail functionality is required.

Design your electronic record around approval process

Select your framework for J2EE

Use existing tools to integrate and automate
QUESTIONS
ANSWERS
Descargar

Electronic Records, 21 CFR Part 11