FDA and ServiceNow

General Add comments
by: Olivier Cramer / Logicalis SMC

Currently I’m working as Quality and Test coordinator on a Service-now.com (SNC) project for a pharmaceutical company. This company has to comply with specific rules for companies that produce pharmaceutical products.

In this blog I would like to give an overview of some of the rules required for IT systems by governmental institutes such as the FDA.

I will indicate how SNC can help complying with these rules.

The FDA and their regulations for IT

The U.S. Food and Drug Administration (FDA) is the organization responsible for the public health by assuring the safety, efficacy and security of human and veterinary drugs, biological products, medical devices, the national food supply of the United States, cosmetics, and products that emit radiation.
This is done by creating and enacting regulations for a wide range of subjects i.e. Production machinery, Product labeling, Research documentation and off-course IT.

The regulations for IT set by the FDA are divided in two sections; Electronic Records and Electronic Signatures.
These are described in the Code of Federal Regulations (CFR) Title 21 part 11


Below a set of requirements is given for IT systems stated by the FDA that deal with electronic records and signatures. There are also procedures related to these two topics but I will get into those in a later blog.

Electronic Records:

  • Limiting system access to authorized individuals;
  • The system should have the ability to generate accurate and complete copies of records in human readable and electronic form suitable for inspection;
  • The system should use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that modify electronic records.


Electronic Signatures:

  • Each Electronic Signature has to be unique and belongs to one individual;
  • Electronic Signatures should have at least two distinct identifications;
  • Signed electronic records must contain information associated with the signing that clearly indicates all of the following: the printed name of the signer, the date and time of signing and the meaning associated with the signature.


How does SNC cover these requirements?

SNC provides out-of-the-box a lot of functionalities for the requirements mentioned above.

Electronic Records:

  1. For each user it’s possible to indicate if he/she should have access to the tool and what a person can do and view. By using groups and roles you can limit the information that a person can read, update or delete;
  2. Records that are stored in SNC can be exported from the tool. This can easily be done into PDF, Excel or XML format;
  3. SNC can keep track of all the updates that are performed on a record. This is done in the audit log that can be activated for each single table in the tool. Examples of the information registered in the audit log are: Who has performed the update; time and date of the update; the old and new value; and the number of updates on that field.


Electronic Signature:

  1. In SNC it is possible to use electronic signatures for authorizing and approving. For this functionality the E-Signature Plugin needs to be enabled (by default it is turned off). When a person wants to approve something the tool asks the approver to provide his login credentials. When these credentials are accepted the approval is granted and registered in the system. The credentials used are based on the login credentials of the users. Without knowing the credentials of another user this plugin prevents to approve for another user;
  2. The two distinct identifications used in the Electronic Signature are the login name of the approver and the related password;
  3. When an approval has been performed in the tool the approving person and the time/date of the approval are stored in the tool. Each approval record also has a link to the item for which the approval is needed.


Looking at the requirements stated by the FDA for Electronic records and Electronic signatures SNC can provide the functionality to support them. However it’s possible that a customer might have additional requirements for these two topics next to the ones stated by the FDA that need to be incorporated into the tool. If this is the case SNC is flexible enough to create the additional requirements.


Recommendations

During our project the project team encountered some issues that could be useful for others that deal with FDA related issues in there SNC projects.

  • When using the audit table as a related list, the values that are shown are not always easy to understand. This has to do with the fact that the values are not always shown under their name but as a number i.e. a link to a change record showing the record ID instead of change number. To make it easier for a user to see what updates have been performed over time on a record the activity log can be used. This can show an overview of the updates on the ticket. You will have to enable this for each field that should be shown in the activity log;
  • In our project the e-signature functionality was not only used for the approval of records, but also for the rejection of records. This is not a standard option. Therefore the functionality has been changed to facilitate this requirement of the client;
  • Documentation is King. Especially when you deal with FDA related compliancy personal. Documentation probably will cost you a lot of time because many procedures will have to be written down. Keep in mind to reserve enough time to create the procedures and to get them approved;
  • If you are not sure if you have to comply with FDA regulations make sure you get in contact as soon as possible with a quality manager of your customer. He/she should be able to indicate what is needed in terms of documentation and tool requirements


Being compliant with FDA regulations does not only mean that you should have a tool that covers the requirements for Electronic records and Signatures. It also means that you should have procedures in place that make sure that this functionality is used in a controlled way. This is probably the hardest part of being compliant with FDA regulations or any other regulation. In a next blog I will try to give some more information related to these procedures.

If you have any question you can send me a mail on olivier.cramer@2e2.nl .

Leave a Reply