The FDA's New Enforcement of 21 CFR Part 11 Compliance (An … · Computer system validation...

The FDA's New Enforcement of

21 CFR Part 11 Compliance

(An Overview)

June 2012

The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)

June 2012

© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.

Contents

About Validation ................................................................................ 3

Abbreviations .................................................................................... 4

FDA Regulation Along the Drug Life ................................................. 5

Other Challenges .............................................................................. 6

Modules/Steps Involved in the Validation Process ........................... 7

Module 1: Regulatory Requirements ................................................ 8

Module 2: Steps for Cost Effective Computer System Validation ... 11

Module 3: Initial and Ongoing Tests of Software and Computer Systems........................................................................................... 14

Module 4: Minimum Validation Documentation Validation .............. 15

Module 5: Qualification of Network Infrastructure and Validation of Network System .............................................................................. 16

Module 6: Understanding FDA Part 11 and the EU GMP Annex 11 ..... 17

Case Study ...................................................................................... 19

Conclusion....................................................................................... 20

Reference ........................................................................................ 21

Author Info ....................................................................................... 21


June 2012


3

About Validation

Validation:

Validation is defined as the act of testing for compliance with a

standard.

Need for validation in computer systems:

Required by regulations – US FDA, EMA, GMP, GCP, GLP

Ensures consistent data and product quality

Helps to protect intellectual property through scientifically

sound data

In 1997, the United States Food and Drug Administration (FDA)

issued a regulation that provides criteria for acceptance by the FDA

of electronic records, electronic signatures and handwritten

signatures. This was done in response to requests from the

industry. With this regulation, titled Rule 21 CFR Part 11 (henceforth

referred to as Part 11), electronic records can be equivalent to

paper records and handwritten signatures.

Title 21 is the portion of the Code of Federal Regulations that

governs food and drugs within the United States for the Food and

Drug Administration (FDA), the Drug Enforcement Administration

(DEA), and the Office of National Drug Control Policy (ONDCP).

Compliance is not as easy as it seems.

The premise may seem straightforward, but implementing these

regulations, adhering to them, and being able to document that the

organization is compliant is quite complex. This paper provides you

with information on HCL guidelines for Part 11.


June 2012


4

Abbreviations

Sl.

No. Acronyms Full Form

1. CFR Code of Federal Regulations

2. EU European Union

3. GMP Good Manufacturing Practices

4. AGMP (Automated Good Manufacturing Practices)

5. GLP Good Laboratory Practices

6. GCP Good Clinical Practices

7. GxP GLP+GCP+GMP = Predicate Rules

8. EMA European Medicines Agency

9. URS User Requirement Specification

10. PIC/S Pharmaceutical Inspection Convention/Cooperation Scheme

11. OQ Operational Qualification

12. DQ Design Qualification

13. PQ Performance Qualification

14. IQ Installation Qualification


June 2012


5

FDA Regulation Along the Drug Life

Part 11 applies to all records that are defined in the underlying acts

and regulations which govern activities in the life sciences

industries. These underlying acts and regulations, which are

referred to as the “predicate rules,” are any requirements set forth in

the FDCA Act (Federal Food, Drug and Cosmetic Act), the PHS Act

(Public Health Service Act), or any FDA regulation (GLP, GMP, and

GCP). The predicate rules mandate what records are to be

maintained, the content of those records, whether signatures are

required, how long records must be maintained, and so on.

Part 11 requires drug makers, medical device manufacturers,

biotech companies, biologics developers, and other FDA-regulated

industries to implement controls, including audits, system

validations, audit trails, electronic signatures, and documentation for

software and systems involved in processing electronic data that are

either required to be maintained by the FDA predicate rules or used

to demonstrate compliance to a predicate rule. Part 11 applies to all

existing and all newly-installed systems.

Application areas of 21 CFR Part 11

Part 11 applies to all existing and newly installed systems


June 2012


6

Challenges

A wave of change is sweeping through the life sciences industry.

Electronic records and electronic signatures are replacing paper

records and hand-written signatures. The challenge is to comply

with the regulations while implementing the most efficient and

effective systems possible. Although companies initially may resist

moving toward compliance, the return on investment for accepting

the change is high. Likewise, the penalty for non-compliance can be

severe.

The regulation has been largely open to interpretation, resulting in

many different compliance approaches. While the FDA is dictating

what needs to be done, how it is to be done is left to individual

companies.

There are several problems or challenges associated with Part 11 in

life science firms:

Part 11 is a regulation to promote public safety through an

organization‟s ability to control data integrity with respect to

authorized and unauthorized modifications to records. Data

integrity and information security are the key objectives of

Part 11.

To begin the move to compliance, a Part 11 gap assessment

should be performed on all systems subject to records

requirements set forth in the FDA regulations.

Failure to comply can lead to denial of a New Drug

Application (NDA), potential delay in manufacturing, “483”

warning letters, civil penalties, and even prosecution for

negligence. These penalties, and the resulting delay in

releasing new drugs, can cost life science firms millions of

dollars.

Steps for attaining initial compliance to Part 11 have been

documented, which can help the organization achieve FDA

compliance.

Challenges to adhere to Part 11

Data integrity and

information security

Gap assessment

Revenue loss


June 2012


7

Modules/Steps Involved in the Validation Process

There are six steps involved in the validation process, which are listed below.

Regulatory requirements

Steps for cost-effective computer system validation

Initial and ongoing tests of software and computer systems

Minimum validation documentation inspectors want to see

Qualification of network infrastructure and validation of

network systems

Understanding the spirit and basics of the FDA Part 11 and

the EU GMP Annex 11


June 2012


8

Module 1: Regulatory Requirements

Regulatory requirements require persons to “employ procedures

and controls, designed to ensure the authenticity, integrity, and

confidentiality of electronic records, and to ensure that the signer

cannot readily repudiate the signed record as not genuine.” Various

steps have been derived to satisfy these requirements.

Computer system validation

Regulation and quality standards

Validation master plan

Validation approach – lifecycle models

Computer System Validation

Computer systems used to create, modify, and maintain electronic

records and to manage electronic signatures are also subject to the

validation requirements. Systems that maintain certain employee

training records may even be subject to validation. Such computer

systems must be validated to ensure accuracy, reliability, consistent

intended performance, and the ability to discern invalid or altered

records.

Validation is a systematic documentation of system requirements,

combined with documented testing, demonstrating that the

computer system meets the documented requirements. It is the first

requirement identified in Part 11 for compliance. Validation requires

that the system owner maintain the collection of validation

documents, including requirement specifications and testing

protocols.

Regulation and Quality Standards

The requirements in this part govern the methods, facilities and

controls used for the design, manufacture, packaging, labeling,

storage, installation, and servicing of all finished devices intended

for human use, so they should satisfy:

Steps to achieve regulatory requirements

Computer system

validation

Regulation and quality

standards

Validation of master plan

Validation approach -

lifecycle models

Risk-based validation for records generated


June 2012


9

GLP (Good Laboratory Practices)

GCP (Good Clinical Practices)

GMP (Good Manufacturing Practices)

AGMP (Automated Good Manufacturing Practices)

FDA‟s 21 CFR Part 11/EU Annex 11 (electronic records and

signatures)

(Automated) equipment should be suitable for its intended use

Equipment should be routinely checked

Validation Master Plan

A Validation Master Plan (VMP) is an integral part of a well

organized validation project. It documents the company's approach

to complex validation projects. The VMP has a broad scope. It

clarifies responsibilities, general objectives, procedures to be

followed for validation, and it prioritizes multiple validation tasks. It

may reference several protocols and procedures to be written in

order to conduct the qualification of several different pieces of

equipment and different processes. It may also specify schedules

for validation and the allocation of resources needed to perform the

validation. VMP provides a means of communication to everyone

associated with the project. It lets management know how the

company‟s resources are being allocated and when they will see the

results. It tells the validation team what they have to do, when they

have to do it, and gives them a means of tracking progress. Other

groups can find out what the validation team is doing and what their

roles are in support of the validation project. The FDA can look at

the VMP and see the validation project is well thought out and

organized; there is a logical reason for including or excluding every

system from the validation project based on a risk analysis.

Validation Approach – Lifecycle Models

Validation is not a one-time event. Validation starts when you plan

and design a product (hardware, software) or a method. Validation

is finished when the product is retired and all data is successfully

moved to a new system. Validation follows one of the lifecycle

models.


June 2012


10

Risk-Based Validation

Specific requirements for computers and electronic records and

signatures are also defined in the FDA‟s regulations Part 11 on

electronic records and signatures. This regulation applies to all

FDA-regulated areas, and has specific requirements to ensure the

trustworthiness, integrity and reliability of records generated,

evaluated, transmitted and archived by computer systems. In 2003,

the FDA published guidance on scope and applications of Part 11.


June 2012


11

In this document, the FDA promoted the concept of risk-based

validation.

Defined Actions for Risk Categories:

Module 2: Steps for Cost Effective Computer System Validation

Form a Project Team which should include representatives from

these key areas:

IT

QA

User groups

Validation groups, if applicable

Regulatory affairs

Documentation

Purchasing

They should meet regularly to make critical decisions and

communicate to a wider user base.

Risk

Level Business Continuity Compliance/Health

High

Failure has a

significant impact on

delivery of products for

several days

Failure of the system may

cause harm to patients and

there is no correction

possible

Medium

Failure has potential

to impact the delivery

of products for 1 or 2

days

Failure of the system may

cause harm to patients and

there is a good potential to

correct the failure

Low

Failure has negligible

impact on product

delivery

Failure of the system will not

cause harm to patients

Steps to achieve cost effective computer system validation

Form a project team

Document the user

requirements

Develop a validation

project plan

Conduct risk

assessment

Assess supplier

Installation

qualification

Operational and

performance

qualification

Validation report


June 2012


12

Document the User Requirements which should be based on

requirement specification, risk assessment and GMP impact. User

requirements should be traceable throughout the lifecycle. The

document should cover the below-mentioned points to address this

requirement.

Contents

Justification for system

Intended application, e.g. electronic documents management

Intended environment (computer and network, operating

environment, e.g. laboratory, manufacturing and office)

Process overview

Detailed user requirements

Signature and approval

When to write URS?

Who writes it, who approves it?

Develop a Validation Project Plan which should define the

activities, procedures and responsibilities for establishing the

adequacy of the system. It should be derived from the company‟s

validation master plan. There should be a specific strategy,

approach, risk assessment, resources, responsibilities, activities

and deliverables of the validation effort. It can be written in a table

template or a flow text form, as shown below.

Table

Purpose of the plan

Product description

Validation strategy

Responsibilities (position)

Supplier assessment

Risk assessment

Testing strategies and reporting

DQ

IQ

OQ

PQ

Traceability matrix

Procedures

Approval

Documents and control


June 2012


13

Conduct Risk Assessment

Risk assessment should be applied throughout the lifecycle of the

computerized system. As part of a risk management system,

decisions on the extent of validation and data integrity should be

based on a justified and documented risk assessment. The purpose

is to optimize resources toward high-risk systems. Various inputs for

risk assessment such as user experience with the same equipment

already installed, user experience with similar equipment already

installed, IT staff experience with the same or similar equipment,

experience with the equipment vendor, information from the vendor

on what can go wrong (during testing and ongoing use), etc.

Assess Supplier

The regulated user should take all responsible steps to ensure the

system has been developed in accordance with an appropriate

quality management system. The purpose is to determine the

adequacy of the supplier quality system.

Installation Qualification

Collect the supplier‟s environmental conditions, operating and

working instructions and maintenance requirements compare

systems, as received, with the purchase order. System installation is

according to vendor specifications such as servers, clients, licenses,

and installation protocol.

Install interfaces, e.g. an e-mail system with impact analysis. Design

an overview with system drawings, e.g. data flow, and testing for

successful installation. Check documentation for accuracy and

completeness. Document all components with asset and serial

numbers.

Operational and Performance Qualification

Ensure the system works in your environment and identify critical

functions for the computer systems as defined in the functional and

user environment specifications. Develop these as test cases for the

functions and define acceptance criteria, or take advantage of the

vendor‟s OQ package. Perform the test and evaluate results,

compare with the acceptance criteria, and finally document the

results. Ensure smooth application-specific operation and suitable

performance of the complete system through the ongoing operation.


June 2012


14

Validation report

It should include a brief description of each project activity used to

review all preceding validation activities and indicate the status of

the system prior to implementation into the production environment.

Deviations from the project plan should be documented and a risk

assessment should be performed.

Module 3: Initial and Ongoing Tests of Software and Computer Systems

A test should be developed, formally documented and used to

demonstrate that the system has been installed and is operating

and performing satisfactorily, and ensures that system requirements

are met. Keep the test evidence on justified and documented risk

assessment: keep hard copy screen prints for high impact functions.

Consider testing of native functions carefully. The extent of testing

should be based on risk, complexity and novelty.


June 2012


15

Module 4: Minimum Document Validation

Documentation which inspectors want to see is listed below.

Documentation

Required SOPs (examples)

Supplier and service providers agreement

Suppliers and service providers assessment information

Supplier agreement

Data back-up

Back-up storage locations, validation, back-up frequency and

documentation

Periodic evaluation and review of computer systems

Internal audits of computer system

Business continuity plan

Disaster recovery plan preparation

System retirement

Maintenance support

Framework (corporate, site, department)

For individual projects processes

For individual products

Test records

List of documents for validation


June 2012


16

Module 5: Qualification of Network Infrastructure and Validation of Network System

Why Care About Network Infrastructure?

A well-qualified network infrastructure increases system uptime and

reduces maintenance costs. Ensure that the network is qualified at

least once, and not for each application. Network infrastructure is

subject to FDA/EU inspection.

Regulation/Guidelines for Qualification/Validation of Network

Infrastructure

The Gxps-system should be suitable for the intended use

21 CFR Part 11 – E-signatures/Records - Defines

requirements for electronic records; electronic signatures in

FDA regulated industries

PIC/s Good Practice Guide - Has lots of good

recommendations on using computers in regulated

environments

Necessity for network infrastructure

Regulations for validation of network infrastructure


June 2012


17

Module 6: Understanding FDA Part 11 and the EU GMP Annex 11

FDA Part 11 and the EU GMP Annex 11 insist on the below-

mentioned points:

Control of Closed System (11.10)

Validation

Accurate and complete copies

Protection and retrieval of records

Limited access to systems and data

Electronic audit trail

Authority checks

Device checks

Operational system checks

People qualification

Individual accountability

Controls over system documentation

Digital Signatures (11.30)

Use of digital signatures for open systems

Electronic Signatures (11.50, 11.70, 11.100, 11.13)

Requirements for signed electronic records

Linking records to signatures

Requirements for electronic signatures

Electronic signature components

FDA 21 CFR Part 11 & EU GMP Annex 11: General Requirements for Electronic Signatures

E-signature must be unique. Ex: user ID and password,

biometric devices

Identity of individuals must be verified

Identification code must be periodically checked, recalled and

revised

Pass card must be periodically tested

Attempts at unauthorized access must be reported

FDA Part 11 and the EU GMP Annex 11 compliance requirement


June 2012


18

The use of an e-signature must be certified with the FDA

Annex 11 requires 1 and 2 along with the additional

requirements below:

Risk management

Supplier and service provider management

Data entry and processing

Data accuracy checks

Change management

Periodic evaluation

Incident management

Batch release

Business continuity

Regulation (Annex 11)

For electronic records, regulated users should define which data are

to be used as raw data. At least, all data on which quality decisions

are based should be defined as raw data (EU Annex 11).

Recommendation

For hybrid systems, clearly define if electronic data or printouts are

raw data. If printouts are defined as raw data, they should include all

required records.


June 2012


19

Case Study

The use of electronic records is expected to be more cost-effective

for the industry and the FDA. The approval process is expected to

be shorter and access to documentation will be faster and more

productive. HCL has provided 21CFR Part 11 compliant

assessment for many clients on various requirements. One of the

case studies is mentioned below for reference.

Client Requirement

To create a validation plan for a universal testing machine with 21

CFR Part 11 compliance assessments.

HCL Solution

HCL created the validation plan and a tracking system to monitor

the 21CFR Part 11 compliance requirement.

The validation plan defines:

Validation strategy for providing the documented evidence

necessary to demonstrate that the universal testing machine

functions according to requirements

Roles and responsibilities to implement and to be maintained

in validated state

Validation deliverables required to qualify the client process

and FDA requirement

Deliverables

Required deliverables for the universal testing machine (UTM)

validation plan are as follows:

Validation plan

Quality and regulatory assessment

21 CFR Part 11 coverage assessment

User requirements specification

Risk level and other risk documentation, e.g. PFMEA, if any.

DFMEA and PFMEA documents were not required as the risk

was medium, based on the risk assessment document.

Test cases for installation and user requirements

Requirement traceability matrix

Standard operating procedure

21 CFR Part 11 compliance assessment


June 2012


20

Conclusion

The ultimate goal of computer system validation is to produce

documentation that actually raises the quality instead of just

producing more paper.

Over the years, HCL has developed a step-by-step approach to

computer system validation - 21 CFR Part 11 compliance. This step-

by-step procedure adheres to the FDA rules to meet Part 11

requirements and to ensure the electronic records and electronic

signatures are trustworthy, reliable and compatible with the FDA‟s

public health responsibilities.


June 2012


21

References

Code of Federal Regulations, Title 21, Food and Drugs, Part 11

Electronic Records; Electronic Signatures

L. Huber, “Validation of Computerized Analytical and Networked

Systems”

FDA Guidance for Industry Part 11, Electronic Records;

Electronic Signatures Scope and Applications

L. Huber, “Risk-Based Validation of Commercial Off-the-Shelf

Computer Systems”

Author Info

Kannan Palaniappan – Kannan has over 10 years of experience in new product design and development on electro-mechanical products, including three and a half years of medical product design. He has worked in cryoablation system design and development, and orthopedics instrument and sterilization unit system development.

Prasanna Kumar Thirunavukkarasu – Prasanna has over eight years of experience in new product design and development on electro-mechanical products that includes over a year in medical product design. He has worked in design and development of “energy-based devices” and orthopedic implants and instruments.

Hello, I’m from HCL’s Engineering and R&D Services. We enable technology led organizations to go to market with innovative products and solutions. We partner with our customers in building world class products and creating associated solution delivery ecosystems to help bring market leadership. We develop engineering products, solutions and platforms across Aerospace and Defense, Automotive, Consumer Electronics, Software, Online, Industrial Manufacturing, Medical Devices, Networking & Telecom, Office Automation, Semiconductor and Servers & Storage for our customers.

For more details contact [email protected]

Follow us on twitter: http://twitter.com/hclers

Visit our blog: http://ers.hclblogs.com/

Visit our website: http://www.hcltech.com/engineering-services/

About HCL

About HCL Technologies HCL Technologies is a leading global IT services company, working with clients in the areas that impact and redefine the core of their businesses. Since its inception into the global landscape after its IPO in 1999, HCL focuses on „transformational outsourcing‟, underlined by innovation and value creation, and offers integrated portfolio of services including software-led IT solutions, remote infrastructure management, engineering and R&D services and BPO. HCL leverages its extensive global offshore infrastructure and network of offices in 26 countries to provide holistic, multi-service delivery in key industry verticals including Financial Services, Manufacturing, Consumer Services, Public Services and Healthcare. HCL takes pride in its philosophy of 'Employees First, Customers Second' which empowers our 83,076 transformers to create a real value for the customers. HCL Technologies, along with its subsidiaries, has reported consolidated revenues of US$ 4 billion (Rs. 19,412 crores), as on TTM ended Mar 31 '12. For more information, please visit www.hcltech.com

About HCL Enterprise HCL is a $6.2 billion leading global technology and IT enterprise comprising two companies listed in India - HCL Technologies and HCL Infosystems. Founded in 1976, HCL is one of India's original IT garage start-ups. A pioneer of modern computing, HCL is a global transformational enterprise today. Its range of offerings includes product engineering, custom & package applications, BPO, IT infrastructure services, IT hardware, systems integration, and distribution of information and communications technology (ICT) products across a wide range of focused industry verticals. The HCL team consists of over 90,000 professionals of diverse nationalities, who operate from 31 countries including over 500 points of presence in India. HCL has partnerships with several leading global 1000 firms, including leading IT and technology firms.

For more information, please visit www.hcl.com

The FDA's New Enforcement of 21 CFR Part 11 Compliance (An … · Computer system validation...

Documents

Transcript of The FDA's New Enforcement of 21 CFR Part 11 Compliance (An … · Computer system validation...