Addressing Common Misconceptions About 21 CFR Part 11


Published on

Presented by Robert Finamore, Director, IT Compliance and Validation at QPharma, Inc.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Addressing Common Misconceptions About 21 CFR Part 11

  1. 1. What is 21 CFR Part 11?  Establishes requirements to ensure Electronic Records and Electronic Signatures have equivalent controls for authenticity, integrity, accountability, and confidentiality as for hardcopy records and signatures. 2
  2. 2. Guidance on Computerized Systems used in Clinical Investigations Draft Guidance on Electronic Source Documentation 21 CFR Part 11; Final Rule Draft Guidances Published Part 11 Inspections Assignments Draft Guidances Withdrawn Part 11 Inspection Assignments Anounced Part 11 Guidance on Scope and Application 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Enforcement "Starts" EU GMP Annex 11 4 PIC/S Guidance on Good Practices for Computerized Systems Used in GxP Environments New Version of EU GMP Annex 11
  3. 3. Narrow Scope • Predicate Rules • Risk Management Enforcement Discretion • • • • Validation Audit Trails Record Retention Copies of Records Clarification • “Note that part 11 remains in effect” 5
  4. 4. Part 58.130(e) Part 211.68(b) • In such instances a written record of the program shall be maintained along with appropriate validation data. Part 312.57(c) 6 • Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified. • A sponsor shall retain the records and reports required by this part for 2 years after a marketing application is approved for the drug...
  5. 5. Example Citation  February 17, 2012 – Biochem Laboratories Inc.  Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 CFR 211.68(b)]. For example:  7 a. Your firm did not put in place requirements for appropriate usernames and passwords to allow appropriate control over data collected by your firm's computerized systems including UV, IR, HPLC, and GC instruments. All employees in your firm used the same username and password. In addition, you did not document the changes made to the software or data stored by the instrument systems. Without proper documentation, you have no assurance of the integrity of the data or the functionality of the software used to determine test results.
  6. 6. Example Citation (cont’d)  February 17, 2012 – Biochem Laboratories Inc.  b. Your firm had no system in place to ensure appropriate backup of electronic raw data and no standard procedure for naming and saving data for retrieval at a later date.  In your response, you state that you will maintain backup of electronic raw data and all technicians will have their own user identification (ID) and password. Your response, however, is inadequate because you do not describe how your firm intends to save and back-up the electronic raw data, nor whether your firm will implement audit trails on your computerized systems. 8
  7. 7. 10
  8. 8. §11.1 - Scope This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. 11
  9. 9. Example Predicate Regulation  21 CFR Part 312.62(b)  Case histories. An investigator is required to prepare and maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation on each individual administered the investigational drug or employed as a control in the investigation. Case histories include the case report forms and supporting data including, for example, signed and dated consent forms and medical records including, for example, progress notes of the physician, the individual's hospital chart(s), and the nurses' notes. The case history for each individual shall document that informed consent was obtained prior to participation in the study. 12
  10. 10. Follow the records! LIFECYCLE 13
  11. 11. Guidance – Scope and Application Part 11 Impact E-Records used in lieu of Paper E-records incidental to creation of Paper E-Records used in addition to Paper 15 No Part 11 Impact Only use Paper records
  12. 12.  Considerations for using Paper as the Official record  Is E-record really incidental to creation of paper?  Still responsible for data integrity from creation through printing  Decision of paper vs. e-record should be documented  Cannot use paper as a back up 16
  13. 13. Audit Trail • Provides history of a record • Creation • Modification • Deletion • Automatically generated for all regulated records 18 Signature • Intent to Authenticate a Record • Legally binding • Requires application of a signature • Used to meet signing requirements of predicate regulations
  14. 14. Example Predicate Regulation  21 CFR Part 50.27  (a) Except as provided in 56.109(c), informed consent shall be documented by the use of a written consent form approved by the IRB and signed and dated by the subject or the subject's legally authorized representative at the time of consent. A copy shall be given to the person signing the form. 19
  15. 15. Signature Types Handwritten • Writing with a stylus is preserved • Handwritten signatures executed to electronic records • Scanned image of a wet signature • Signing on a digitizing pad • Hybrid systems – e-record + wet signature Non-Biometric • Multi-component signature entry • E.g. User ID/Password Biometric • Measurement of unique attributes of the signer 20
  16. 16. Compliance Technology Process • Intended Use • People • Procedures 22
  17. 17. Procedural Technical Example Part 11 Requirements Part 11 Requirement §11.10(f) Use of operational system checks to enforce  permitted sequencing of steps and events, as appropriate. §11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature  systems have the education, training, and experience to perform their assigned tasks. §11.10(d) Limiting system access to authorized individuals. 23 
  18. 18. Record Owner • Ultimately Responsible for Compliance Due Diligence Vendor • Leverage Compliance for: • Products • Services 25
  19. 19. Due Diligence Activities Onsite Assessment of Vendor – SDLC, QMS, and CSP procedures and controls Development of Robust Service Level Agreement Scheduling of Follow-up Assessments 26
  20. 20. Due Diligence Topics SDLC/QMS Service Provider Development Practices Regulatory Knowledge Testing Practices Security Management Configuration Management System Documentation Release Management Personnel Management Infrastructure Management Support and Maintenance Disaster Recovery Vendor Management Core System Validation Quality Improvement Change Management
  21. 21. Resources FDA Regulations (21 CFR Part 11 + Predicate Regulations) 28 FDA Guidance Documents (Part 11 Scope & Application, Computerized System in CI, and Electronic Source Documents) GAMP 5 + Good Practice Guides (SDLC, QMS, Validation and Supplier Assessment Topics)
  22. 22. Questions 29
  23. 23. Thank you for your time! Robert J. Finamore Director, IT Compliance and Validation QPharma, Inc. (973) 656-0011, Ex. 2081 30