Combat the Misconceptions of 21 CFR Part 11
EduQuest EDUcation: QUality Engineering, Science, & Technology
Global team of FDA compliance experts based near Washington, DC
Founded by former senior officials from FDA’s Office of Regulatory Affairs (ORA) Headquarters
Advising pharmaceutical, biologics, and medical device companies worldwide since 1995
Focus on Audits and Training for Part 11, Validation, Quality Systems, Risk Management, Inspection Readiness
22 years with U.S. FDA
Special Assistant to Associate Commissioner of Regulatory Affairs
Co-Author of 21 CFR Part 11
FDA expert field investigator, inspecting facilities worldwide
Former chair of U.S. ISO 9000 committee
Helped to develop QSR for Medical Devices
Chair of EduQuest live training courses (www.EduQuest.net)
.
3
Evolution of Part 11 and Why It’s Back in the News
Overview and Key Requirements of Part 11
How FDA Inspects Computerized Systems
4 © 2016 EduQuest, Inc.
Over 20 years since the beginning of the process – • Part 11 still doesn’t meet FDA’s or the industry’s
objectives
• We’re still talking past one another
Remember the context of FDA’s pre-existing focus on software and computerized systems
5 © 2016 EduQuest, Inc.
FDA did not issue Part 11 on its own initiative
• The pharmaceutical industry asked FDA for rules to
deal with electronic submissions and recordkeeping
• Classic example of “be careful what you ask for”
6 © 2016 EduQuest, Inc.
Agency officials who understood computer systems and software engineering knew that Part 11 wasn’t necessary for FDA to do its job • The vast majority of the Part 11 requirements already
existed under the “predicate rules”
• Remember – FDA has enforced its expectations for computerized systems since the late 1970s
7 © 2016 EduQuest, Inc.
Several key missteps • FDA did not fully understand the state of industry
practice at the time
• Used terminology that didn’t help
The title of the regulation itself
The use of the term “audit trail”
8 © 2016 EduQuest, Inc.
• Several years of unclear, shifting, unscientific, and virtually useless guidance The one remaining guidance document (on the
Scope and Application of Part 11) wasn’t very
effective in clarifying what the regulated industries
were struggling with
9 © 2016 EduQuest, Inc.
Overstated the nature and impact of “enforcement discretion”
Left a lot of open and unanswered questions • FDA’s expectations for a “justified and
documented risk assessment”
• Whether very many legacy systems can actually meet the stated criteria for avoiding Part 11
10 © 2016 EduQuest, Inc.
Positions with no rational science behind them • For example, using only printed paper records to
make regulatory decisions
Failed to provide needed clarity • For example, that medical device quality and
production related systems must be validated (there is no leeway for the device industry)
11 © 2016 EduQuest, Inc.
It’s simple – Part 11 is back in the news because FDA: • Continues to see significant problems with data
integrity (including outright fraud)
• Does not trust what it’s seeing and what the pharmaceutical industry is saying about its impact
• Wants to return back to the original intent and objectives
12 © 2016 EduQuest, Inc.
CDER announced this initiative in May 2010 • To “evaluate the current pharmaceutical industry
understanding of, and compliance with, 21 CFR
Part 11” and “where industry may not be
complying with, or understand, the enforcement
approach as stated in the guidance”
13 © 2016 EduQuest, Inc.
Some of the possible outcomes include –
• Maintaining the “status quo, plus publishing
additional guidance”
• “Amending the existing Part 11 regulation and/or
preamble”
14 © 2016 EduQuest, Inc.
Some of the possible outcomes include –
• “Proposing new wording / language to existing
CPGs and CPMGs that contain outdated
interpretations of Part 11 requirements”
• “Revoking” or “amending” the current Scope
and Application guidance
15 © 2016 EduQuest, Inc.
Officials within CDER “have become aware of serious problems with recordkeeping, especially electronic, and are interested in looking at the industry to determine what steps need to be taken to reestablish compliance”
The “intent is the same one we had in FDA before we published the Advance Notice of Proposed Rulemaking” (in 1992)
16 © 2016 EduQuest, Inc.
FDA’s original intent in defining and drafting Part 11 was based on a set of straightforward and simple objectives –
• To encourage and facilitate the adoption of technological
improvements without a loss in data integrity
• To provide for no less integrity of electronic data and
electronic signatures than for paper-based data and signatures
• To accomplish the above within the existing regulatory
framework
17 © 2016 EduQuest, Inc.
FDA did not want to “reinvent the wheel” and chose to • Rely on existing FDA recordkeeping regulations • Draw from industries experienced in dealing with
electronic data integrity (e.g., the financial, banking, and legal industries)
• Apply “common sense” (often referred to as a “risk-based” approach)
18 © 2016 EduQuest, Inc.
1) Data integrity (the primary basis for all of the requirements);
2) The quality and reliability of software and computerized systems, in accordance with their intended uses; and
3) An appropriate degree of contemporaneously-developed objective evidence that supports and demonstrates that the first two objectives have been met
19 © 2016 EduQuest, Inc.
Compliance with basic, well-established good software and systems engineering practice • Been around for decades (very little has changed)
• Will get you 99% of the way there
• FDA didn’t create a lot of additional requirements
Exceptions – FDA does expect a written and approved validation plan and validation report
20 © 2016 EduQuest, Inc.
“GxP” (Good X Practices)
• cGMP, GMP, QSR, GCP, GLP, GTP, ER/ES
• “Predicate Rules”
• 21 CFR Part Everything Else!
21 © 2016 EduQuest, Inc.
What is it?
• FDA’s regulation for the use of electronic records and electronic signatures
• Sets forth the rules for acceptability and use of electronic records and signatures in lieu of “paper” records and “handwritten” signatures
22 © 2016 EduQuest, Inc.
What does 21 CFR Part 11 apply to? • Any record required by FDA which you create, modify,
maintain, archive, retrieve, or transmit in electronic form
• Any record you submit to FDA in electronic form (required or not)
Note – Part 11 does not supersede any other regulations
23 © 2016 EduQuest, Inc.
Part 11 does not create any new record or signature requirements
Use of electronic records as well as their submission to FDA is voluntary (except for drug labeling and many more instances that are being developed)
The agency can and does use regulatory discretion in enforcement (this is not a new concept or approach)
24 © 2016 EduQuest, Inc.
Software and system validation
Data change documentation and control (audit trails)
System security
Electronic signature security
Code and password security and maintenance
Biometric / non-biometric signature requirements
25 © 2016 EduQuest, Inc.
Record retention and protection
Operational checks
Authority checks
Device checks
Document control (including system deliverables)
Additional necessary controls for “open” systems
26 © 2016 EduQuest, Inc.
Electronic signature requirements • Printed name display
• Date and time of signature
• Signature meaning
• Signature linking
• Uniqueness
• Identity verification, being established or certified
27 © 2016 EduQuest, Inc.
Independently computer generated
All changes which create, modify, or delete data
Date and time stamped
Identifies who made the change
Must not obscure previous data
Retention for full period defined by the predicate rules
Available for inspection, copying, and review
28 © 2016 EduQuest, Inc.
The system must assure that only authorized users qualified by documented training and approval can − • Use the system
• Access the operations
• Electronically sign a record
• Alter a record
• Access input and output devices
29 © 2016 EduQuest, Inc.
Biometric –
• Based on unique physical attributes (fingerprints, retinal scan, voice prints, face recognition, etc.)
Non-Biometric –
• At least two methods of identification (typically user ID and password)
30 © 2016 EduQuest, Inc.
For multiple signings during a “continuous” session
• If not biometric, both components of the signature
must be entered on the first signing
• For subsequent signings during the same continuous
session, only one component is required
31 © 2016 EduQuest, Inc.
Part 11 remains in force with one applicable guidance document (guidance on Part 11 Scope and Application)
FDA is exercising enforcement discretion while further evaluating Part 11 for potential changes
FDA has established internal good guidance practices
32 © 2016 EduQuest, Inc.
FDA inspections monitor for compliance with Part 11 just as they monitor for proper record keeping in accordance with other FDA regulations
33 © 2016 EduQuest, Inc.
Outlines FDA’s thinking in five specific areas – • Validation, audit trails, legacy systems, copies of
records, and record retention
Repeated emphasis on the predicate rules
Decisions must be formally justified and documented • FDA expects a risk-based approach using a risk (or
hazard control) methodology
34 © 2016 EduQuest, Inc.
An established development process or
methodology
A written and approved validation plan
Documented requirements
Documented functional specifications
Documented design specifications
35 © 2016 EduQuest, Inc.
Documented testing protocols and evidence of reviews of objective test results
Documented evidence of installation protocols and evidence of test results and review
A written and approved validation report
Complete, documented traceability (from requirements to testing)
36 © 2016 EduQuest, Inc.
Documentation of responsible approvals
A defined maintenance / change control process / methodology including risk analysis
Documentation of changes / change impact and risk assessment / periodic monitoring
An effective vendor management process
System security
37 © 2016 EduQuest, Inc.
Management doesn’t fully understand the –
• Nature and extent of the regulatory requirements
• Fundamental components of basic good software and systems engineering practice and how they are directly related to real business benefits
• Magnitude of the work and resources needed to bring hundreds or thousands of systems into compliance
38 © 2016 EduQuest, Inc.
Lack of full and consistent understanding of the – • Scope of what’s required by the “predicate rules”
(including the logical extensions and the interpreted and/or enforced meaning of the requirements)
• Logical and scientific bases for some of the key requirements (such as validation) – continues to drive some companies’ resistance to adopt practices that will routinely meet those requirements
39 © 2016 EduQuest, Inc.
Thinking that Part 11 is a quality issue
Focusing on a software package rather than the system as a whole
Lack of management support (resources, time)
Not doing anything for a non-validated system that is “going to be replaced”
Failure to plan for and address “meta data”
40 © 2016 EduQuest, Inc.
Vendor certification is all that is needed for COTS (commercial-off-the-shelf) software
Part 11 is primarily focused on electronic signatures
Manual audit trails are acceptable
If I print and sign, I can delete the electronic record
FDA will collect copies of many electronic records
41 © 2016 EduQuest, Inc.
FDA Compliance Training Classes available from EduQuest:
FDA Auditing of Computerized Systems and Part 11/Annex 11, Oct. 31-Nov. 2, 2016 (FDA’s expectations for data integrity. Includes 3 mock FDA audits of real-world computer systems.)
The CAPA Clinic: CAPA Systems, Failure Investigations & Complaint Management, Nov. 3-4, 2016 (Improving your CAPA system through better data collection, management reporting, trending, and root cause analysis)
QSR Compliance Basics, September 26-27, 2016 (Fully understand your company’s obligations for Quality Systems under 21 CFR 820)
Design Control for Medical Devices, September 28-29, 2016 (How FDA expects you to develop, implement, and manage design controls) All offered publicly or as on-site, on-demand classes -- when and where you need them.
Details at www.EduQuest.net , or Email: [email protected]
Top Related