Transcript CSSC PowerPoint Template

21 CFR Part 11
Regulatory Overview and
What’s New with the FDA
Presented by:
Frederick J. Sperry
Validation Manager
©QPharma 2010
Agenda
• Regulatory History
• Regulation Applicability
• E-Record Requirements Review
• E-Signature Requirements Review
• What’s New With FDA Enforcement
• Q&A
©QPharma 2010
2
Regulatory History
• 1997 – 21 CFR Part 11; Final Rule
• 1997-2002 – Enforcement, 6 Draft
Guidances Issued
• 2003 – Previous Guidances Withdrawn
• 2003 – Guidance on Scope and
Application (Kindler – Gentler Part 11)
cGMPS for 21st Century
 Enforcement discretion
©QPharma 2010
3
Regulatory History
• Enforcement Discretion – what did that mean?
 Agency has not generally enforced certain Part
11 requirements without other issues
 Guidance does not carry the weight of law
 Systems and applications still must meet
predicate rule requirements
 The use of a System or Application Risk
Assessment is a good tool to identify and
focus on key issues associated with
compliance to predicate rules.
©QPharma 2010
4
Regulatory History
• Risk Assessment Basics for Part 11
 Determining the Need for a Control
 Determining the Type of Control to be
Implemented
 Factors for Consideration
 Impact on Product Quality and / or Public Health
 Likelihood of Risk Scenario impacting product or status
reporting or release data
 Identify any Mitigating Factors – extra testing or
procedural controls
©QPharma 2010
5
Regulatory History
• The Future
Revision to Part 11 eventually
 But hasn’t been a priority
 Current Part 11 regulations continue to be
enforceable
 Enforcement likely to reflect current thinking
from latest guidance
New Inspectional Guidance Process
 To assess compliance in Industry
 Post Inspections, expect Part 11 to be revisited
©QPharma 2010
6
Regulation Applicability
• Why is Part 11 necessary?
Paper Records / Handwritten
Sigs
E-Records / E-Signatures
(+) Fixed Representation
(+) Durable
(+) Changes Very Evident
(+) Copies Evident
(+) Signatures Hard to Forge
(-) Need Storage Space
(-) Inefficiency of Search / Sharing
(+) Global Sharing
(+) Rapid Analysis and Search
(+) Efficient Review and Approval
(-) Changes / Copies Not Evident
(-) Selective Data Views
(-) Higher Possibility of Data Loss
(-) Easy to Forge Signatures
©QPharma 2010
7
Regulation Applicability
• Electronic records used to meet record
keeping requirements of FDA regulations
Example Predicate Requirements:
 §211.188 – “Batch production and control
records shall be prepared for each batch of drug
product…”
 §820.30(j) – “Design history file. Each
manufacturer shall establish and maintain a
DHF for each type of device.”
©QPharma 2010
8
Regulation Applicability
• Building Management Systems (BMS)
• Calibration Management Systems (CMS)
• Maintenance Management Systems (MMS)
• Manufacturing Execution Systems (MES)
• Enterprise Resource Planning (ERP)
• Distributed Control Systems (DCS)
• SCADA and PLC Systems
• Case Report Form Systems
• Clinical Data Management Systems
• Statistical Analysis Software (e.g., SAS)
• Adverse Event Reporting Systems (AERS)
©QPharma 2010
• Chromatography Data Acquisition Systems
• Environmental Monitoring Systems (EMS)
• Lab Information Management Systems (LIMS)
• Stability Systems
• DM & PK Systems
• Training Record Systems
• Electronic Submission Systems
• Sales Force Automation Systems (SFA)
• Standard Operating Procedure Systems
• Document Management Systems (DMS)
9
Regulation Applicability
• Paper vs. Electronic Records
Previous Interpretation
 Regulated data written in non-temporary form to
tangible media is an electronic record with Part
11 impact
 True even if records were printed and paper
was called the “official” copy
2003 Guidance
 Electronic records are exempt from Part 11 if
only paper versions of the electronic records are
used for regulated activities
©QPharma 2010
10
Regulation Applicability
• Paper vs. Electronic Records
 Key Points for Exemption
 Still responsible for ensuring data
integrity from creation to printing
 Once hardcopy is generated, electronic
records cannot be used for any regulated purpose
– even as a backup in case paper is lost
 Decision to use paper (or electronic records) should be
documented
 Should have procedures and training indicating electronic
records not to be used after printing
 Preferable to purge electronic records after printing
©QPharma 2010
11
Regulation Applicability
• Legacy Systems
Previous Interpretation
 No grandfathering of systems
 Even if a system was in place before Part 11
was legally enforceable, Part 11 still applies
effective August 20, 1997
2003 Guidance
 Enforcement discretion for legacy systems
 Part 11 will not be enforced for systems that
were in production prior to August 20, 1997
©QPharma 2010
12
Regulation Applicability
• Legacy Systems
Key Points for Legacy Exemption
 System must have met all predicate rule
requirements prior to August 20, 1997
 The system currently meets all predicate rule
requirements
 Documented evidence and justification exists
that the system meets its intended use (i.e.,
validation)
 No changes have been made to the system that
prevent the system from meeting predicate rule
requirements
©QPharma 2010
13
Regulation Applicability
• Electronic Signatures
Previous Interpretation
 Part 11 applies to all electronic signatures used
to meet the signature requirements of predicate
rules and an organization’s internal procedures
2003 Guidance
 Part 11 does not apply to signatures required
by internal procedures if there is no
corresponding predicate rule
requirement
©QPharma 2010
14
Regulation Applicability
• Signatures
Types
 Handwritten
 Biometric
 Non-biometric
Example Predicate Requirement
 §211.168(a) – “To ensure uniformity from batch
to batch, master production and control records
for each drug product, including each batch
size thereof, shall be prepared, dated, and
signed…”
©QPharma 2010
15
Regulation Applicability
• Hybrid Systems
Combination of Electronic and
Hardcopy Components
 Maintain data electronically – print and sign a
hardcopy
 Raw data maintained electronically – derived
data printed (and possibly signed)
©QPharma 2010
16
Regulation Applicability
• Which Sections of the Regulation Apply?








* - Section 11.30 is only applicable to Open Systems
Electronic record only (no signatures)
E-records and handwritten signatures only
E-records and Non-biometric e-signatures
E-records and Biometric e-signatures
©QPharma 2010
Rule does not apply to this type of system.
N/A N/A N/A N/A N/A
*
N/A
N/A N/A N/A

*
N/A




*
N/A




*
11.300
11.200(b)
11.200(a)
11.100
11.70
11.50
11.30
11.10
System Type
No e-records or e-signatures
21 CFR Part 11 Sections (-Applicable & N/A -Not Applicable)
11.1; 11.2;
11.3
Matrix of Applicable Regulations
N/A
N/A

N/A
17
E-Record Requirements
• §11.10(a) – Validation
Previous Interpretation
 If Part 11 applies to a system, it
must be validated
2003 Guidance
 Enforcement discretion for this requirement
 The need for validation is determined by
predicate rule requirements and documented
risk assessment
 Even if no predicate requirement, may still be
important to validate to determine if system
meets its intended use
©QPharma 2010
18
E-Record Requirements
• §11.10(a) – Validation
 FDA Cited Validation References
 General Principles of Software Validation; Final Guidance
for Industry and FDA Staff
 GAMP 4 or 5 Guide for Validation of Automated Systems
 Example Predicate Requirement:
 §820.70(i) – “Automated processes. When computers or
automated data processing systems are used as part of
production or the quality system, the manufacturer shall
validate computer software for its intended use according
to an established protocol. All software changes shall be
validated before approval and issuance. These validation
activities and results shall be documented.”
©QPharma 2010
19
E-Record Requirements
• §11.10(b) – Copies of Records
 Previous Interpretation
 It must be possible to provide complete and accurate copies
of all electronic records and associated metadata to FDA in
both hardcopy and electronic format
 Converted formats must have same search, sort and trend
operations as original records
 2003 Guidance
 Enforcement discretion - Agency investigators must be
afforded reasonable and useful access to records in
accordance with predicate rules
 Preserve content and meaning
©QPharma 2010
20
E-Record Requirements
• §11.10(b) – Copies of Records
 Example Predicate Requirement:
 §820.180 – “All records required by this part shall be
maintained at the manufacturing establishment or other
location that is reasonably accessible to responsible
officials of the manufacturer and to employees of FDA
designated to perform inspections. Such records, including
those not stored at the inspected establishment, shall be
made readily available for review and copying by FDA
employee(s). Such records shall be legible and shall be
stored to minimize deterioration and to prevent loss.
Those records stored in automated data processing
systems shall be backed up.”
©QPharma 2010
21
E-Record Requirements
• §11.10(c) – Record Retention
Previous Interpretation
 Electronic records must be protected such that
accurate copies could be readily provided
throughout retention period
 If created electronically, records must be
maintained electronically
 Archived records must have same search, sort
and trend operations as original records
©QPharma 2010
22
E-Record Requirements
• §11.10(c) – Record Retention
2003 Guidance
 Enforcement discretion for this requirement
 Records must be retained in accordance with
predicate rules
 Retained records must preserve content and
meaning of the original records
 Records may be archived to non-electronic
format such as paper, microfilm, or microfiche
©QPharma 2010
23
E-Record Requirements
• §11.10(c) – Record Retention
 Example Predicate Requirements:
 §211.180(a) – “Any production, control, or distribution
record that is required to be maintained in compliance
with this part and is specifically associated with a batch
of a drug product shall be retained for at least 1 year
after the expiration date of the batch or, in the case of
certain OTC drug products lacking expiration dating
because they meet the criteria for exemption under
211.137, 3 years after distribution of the batch.”
 §820.180 – “Such records shall be legible and shall be
stored to minimize deterioration and to prevent loss.”
©QPharma 2010
24
E-Record Requirements
• §11.10(d) – Security
Limit access to authorized individuals
 Physical security
 Logical security
 Backend file / database access
©QPharma 2010
25
E-Record Requirements
• §11.10(e) – Audit Trail
 Previous Interpretation
 A secure, computer generated, time-stamped audit trail is
required for all operator actions that create, modify or delete
e-records
 Audit trail must retain a full history of changes made to the
record
 2003 Guidance
 Enforcement discretion for this requirement
 Need for audit trail and the form it takes
is determined by predicate rule requirements
and documented risk assessment
 Even if no predicate requirement, may still be important to
have audit trail to ensure trustworthiness and reliability of
records
©QPharma 2010
26
E-Record Requirements
• §11.10(e) – Audit Trail
Example Predicate Requirement:
• §58.130(e) – “Any change in entries shall be
made so as not to obscure the original entry,
shall indicate the reason for such change, and
shall be dated and signed or identified at the
time of the change..”
©QPharma 2010
27
E-Record Requirements
• §11.10(f) – Operational System Checks
 System enforces logical sequencing of events
(where applicable)
• §11.10(g) – Authorization Checks
 Access to functionality limited to user role
• §11.10(h) –Device Checks
 Ensure sources of data input are properly
identified and verified (where applicable)
©QPharma 2010
28
E-Record Requirements
• §11.10(i) – Training
 System developers, administrators
and users must be properly trained
• §11.10(j) – Accountability
 Accountability policies for user actions in the
system
• §11.10(k) – Documentation Controls
 Control over distribution, access and use of
system docs
 Revisioning procedures for system
documentation
©QPharma 2010
29
E-Record Requirements
• Open vs. Closed Systems
 Closed System
 The access to the data in the system stay within owner’s
control
 Open System
 The system access is not controlled by persons who are
responsible for the data
• §11.30 – Open System Controls
 Additional controls to ensure authenticity,
integrity, and confidentiality of records
 Encryption
 Digital signatures
©QPharma 2010
30
E-Signature Requirements
• §11.50 – Signature Manifestation
 Signature information associated with record
must appear in all human readable forms
 Printed name of signer
 Date and time of signing
 Meaning of the signature
• §11.70 – Signature Linkage
 Signature must be securely linked to electronic
records such that the signature cannot be
excised, copied, or transferred by ordinary
means
 Includes handwritten signatures executed to electronic
records
©QPharma 2010
31
E-Signature Requirements
• §11.100 – General Requirements
(a) Signature must be unique to one
individual
(b) Identity verification required prior to
electronic signature access and
release
(c) Certify use of electronic
signatures to FDA
©QPharma 2010
32
E-Signature Requirements
• §11.200 – Electronic Signatures
Components and Controls
 (a)(1) Non-biometric signatures must employ at
least two distinct components
 (a)(1)(i) Must enter all components during first
signing of continuous session – must enter
one private component on subsequent
signings
 (a)(1)(ii) Must enter all components during noncontinuous session
 System inactivity lock out
©QPharma 2010
33
E-Signature Requirements
• §11.200 – Electronic Signature
Components and Controls
 (a)(2) E-sigs may only be used by genuine
owner
 (a)(3) Collaboration would be necessary for
non-owner to use signature
 System admin cannot view passwords
 (b) Biometrics can only be used by
genuine owners
 Resolution of scan to avoid false
positives
©QPharma 2010
34
E-Signature Requirements
• §11.300 – Controls for ID
Codes / Passwords
(a) ID Code / Password combo must be
unique
(b) Password aging is required
(c) Loss management for devices
(d) Transaction safeguards
 Lock out after N failed attempts
 Immediate (reasonable) notification to security
(e) Device testing
©QPharma 2010
35
FDA New Part 11Initiative
• The FDA’s Next Step
– Presented at ISPE Washington conference
• By: Center for Drug Evaluation and Research (CDER)
• Agency to re-examine 21 CFR Part 11 as currently
implemented in industry
• Company Drug inspectional assignments will include a
Part 11 Requirements component
• Compare requirements in Part 11 Scope & Application
guidance published in August of 2003 with actual
implemented systems.
©QPharma 2010
36
FDA New Part 11Initiative
• Purpose of Inspections:
– To evaluate industry’s compliance and current
understanding of Part 11
– In light of the enforcement discretion described in the
2003 Scope of Application Guidance
• Inspectional Note:
– CDER intends to take appropriate enforcement
action to Part 11 requirements for serious predicate
rule issues raised during the inspections
©QPharma 2010
37
FDA New Part 11Initiative
• In Summary
– The FDA will evaluate industry compliance with Part 11
Regulation
– Inspections performed in light of the enforcement
discretion described in the scope of application guidance
– issued August 2003
– CDER intends to take appropriate action to enforce Part 11
requirements for issues raised during inspections.
– FDA may use the inspectional findings as a part of the reevaluation of the 21 CFR Part 11 Regulation and Guidance
documents.
©QPharma 2010
38
Questions
©QPharma 2010
39
Thank you!:
Fred Sperry
Validation Manager
QPharma, Inc.
22 South Street
Morristown, NJ 07960
(973) 656-0011 x2028
(973) 656-0408 (FAX)
[email protected]
http://www.qpharmacorp.com
©QPharma 2010