FDA 21 CFR Part 11 and Related Regulations and Guidances

2,347 views
2,179 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,347
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
125
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

FDA 21 CFR Part 11 and Related Regulations and Guidances

  1. 1. FDA 21 CFR 11 and Related Regulations and Guidance Part 1 – Review of Life Sciences IT Security Requirements Dept. App. Dept. App. The Hollis Reg. Aff. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 1 Reg. Aff. QA QA Group, Inc. Manuf. Manuf. Purch. Purch.Subject:Subject: R&D R&D Eng. Eng. Infrastructure Assurance Infrastructure Assurance TM
  2. 2. Electronic Signatures Fundamentals - Scope • As stated elsewhere, records that have been electronically signed must be secure, accurate and reproducible in order for the electronic signatures to have any validity • Therefore our agenda will include laws, regulations and binding guidance that bear upon the electronic records required by the ―predicate rules‖ applicable to our regulated products or components: Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 2Subject: R&D Eng. Infrastructure Assurance TM
  3. 3. e-Signature Regulations and Guidance • 21 CFR Part 11 – Electronic Records, Electronic Signatures – FDA – August 20, 1997 • Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS – FDA – April, 1999 Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 3Subject: R&D Eng. Infrastructure Assurance TM
  4. 4. e-Signature Regulations and Guidance • General Principles of Software Validation; Final Guidance for Industry and FDA Staff – FDA – January 11, 2002 • Guidance for Industry Part 11, Electronic Records; Electronic Signatures – Scope and Application – FDA – August 2003 Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 4Subject: R&D Eng. Infrastructure Assurance TM
  5. 5. e-Signature Regulations and Guidance • Volume 4 Good Manufacturing Practice (GMP) Guidelines: Annex 11 Computerised Systems – Eudralex – Effective June 2011 • DRAFT Guidance for Industry – Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical Devices – FDA - CDER, CBER, CVM, CDRH – December 2011 Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 5Subject: R&D Eng. Infrastructure Assurance TM
  6. 6. e-Signature Predicate Rules – US FDA • 21 CFR PART 210 — CURRENT GOOD MANUFACTURING PRACTICE IN MANUFACTURING, PROCESSING, PACKING, OR HOLDING OF DRUGS; GENERAL • 21 CFR PART 211 — CURRENT GOOD MANUFACTURING PRACTICE FOR FINISHED PHARMACEUTICALS • 21 CFR PART 820 — QUALITY SYSTEM REGULATION • 21 CFR PART 821 — MEDICAL DEVICE TRACKING REQUIREMENTS Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 6Subject: R&D Eng. Infrastructure Assurance TM
  7. 7. Not ―Predicate Rules‖ But Touching the Subject • U.S. Food Drug, & Cosmetic Act – 21 USC 331 (Prohibited acts) • Sarbanes – Oxley (SOX) – Pub.L. 107-204, 116 Stat. 745, Jul. 30, 2002 • Gramm – Leach – Bliley (GLB) – Pub.L. 106-102, 113 Stat. 1338, Nov. 12, 1999 • The Electronic Signatures in Global and National Commerce Act (ESIGN) – Pub.L. 106-229, 14 Stat. 464, enacted June 30, 2000, 15 U.S.C. ch.96 • Fed. Rules of Criminal & Civil Procedure & Evidence Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 7Subject: R&D Eng. Infrastructure Assurance TM
  8. 8. Some Interesting Bits… From the U.S. Congress • 18 USC 1001 - False information • 18 USC 1341 - Mail fraud • 18 USC 1343 - Wire fraud • 18 USC 1905 - Leaking information Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 8Subject: R&D Eng. Infrastructure Assurance TM
  9. 9. An Important Note About 21 CFR 11 This regulation applies to all electronic records, including those that are NOT electronically signed. 21 CFR § 11.1 Scope. (b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 9Subject: R&D Eng. Infrastructure Assurance TM
  10. 10. An Important Note About Annex 11 This regulation applies to all electronic records, including those that are NOT electronically signed. Principle This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 10Subject: R&D Eng. Infrastructure Assurance TM
  11. 11. An Even More Important Note About 21 CFR 11 / Annex 11 The only time that you will actually use the electronic signatures on the electronic records will be when SOMEONE IS A CRIMINAL. We’re getting a little ahead of ourselves, but this is an important concept to keep in mind: There actually are real threats out there. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 11Subject: R&D Eng. Infrastructure Assurance TM
  12. 12. Electronic Signatures and Catching Criminals • We only check a signature when we doubt the veracity of an electronic record. • A document can be adulterated for only one of two reasons: error or fraud. • The technology’s ―integrity check‖ function makes the probability of an unidentifiable error extremely remote (i.e., 2128). • Therefore, the very action of challenging a signature is the equivalent of an accusation of deliberate fraud (i.e., a crime). Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 12Subject: R&D Eng. Infrastructure Assurance TM
  13. 13. Eudralex Volume 4 Good Manufacturing Practice (GMP) Guidelines: Annex 11 Computerised Systems Effective June 2011 Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 13Subject: R&D Eng. Infrastructure Assurance TM
  14. 14. Annex 11 – Principle / General ―Should‖ == ―must‖, validate the applications, qualify the infrastructure, no decrease in quality or increase in risk introduced by the computer system 1. Risk Management – Document a risk–managed approach to the system lifecycle Patient safety, data integrity, product quality 2. Personnel – Appropriate qualifications, access levels and assigned responsibilities 3. Suppliers and Service Providers – Appropriate agreements, audits based on risk assessments More stringent than personnel requirements Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 14Subject: R&D Eng. Infrastructure Assurance TM
  15. 15. Annex 11 – Project Phase 4. Validation (It is interesting to note that all validation is in this phase.) 4.1 – Risk assessment > life cycle steps > validation documents 4.2 – Validation documents must include any change control records and deviations 4.3 – Accurate GMP systems inventory with functions and structures of critical ones 4.4 – There must be life-cycle traceable User Requirements Specifications based on GMP risk Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 15Subject: R&D Eng. Infrastructure Assurance TM
  16. 16. Annex 11 – Project Phase 4.5 – The supplier should be ―assessed‖ to have used a QMS during development 4.6 – Bespoke-code systems must have more rigorous life-cycle reporting / controls 4.7 – There must be documented evidence of appropriate system testing 4.8 – There must be documented evidence of accurate data transfer or migration Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 16Subject: R&D Eng. Infrastructure Assurance TM
  17. 17. Annex 11 – Operational Phase 5. Data – Data exchanges require integrity checks 6. Accuracy Checks – Manual data entry (of critical data) requires a second accuracy check. – Risk analysis for criticality – Manual or automated second check 7. Data Storage – Data must be secured physically and logically, and these mechanisms must be verified during validation and periodically re-verified. 8. Printouts – There must be printout capability for stored data that includes before / after views of any changes to batch release data. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 17Subject: R&D Eng. Infrastructure Assurance TM
  18. 18. Annex 11 – Operational Phase 9. Audit Trails – There must be a risk assessment to determine if an audit trail is required for changes or deletions of GMP-related electronic records. –System-generated, regularly reviewed, and the ―reason for change‖ must be documented –Although they are not required to be included within the audit trail itself 10. Change and Configuration Management – must only be done in a controlled manner via a defined procedure 11. Periodic evaluation – More accurately, periodic re- evaluation for function, problems, security, etc. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 18Subject: R&D Eng. Infrastructure Assurance TM
  19. 19. Annex 11 – Operational Phase 12. Security 12.1 – Physical and logical controls 12.2 – Control extent based upon criticality 12.3 – Record operator ID and date / time for: Creation , change, or cancellation, of credentials 12.4 – Record operator ID and date / time for: Entering, changing, confirming, or deleting data 13. Incident Management – Report all Incidents , root cause / CAPA of critical incidents ―Incident‖ is poorly defined Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 19Subject: R&D Eng. Infrastructure Assurance TM
  20. 20. Annex 11 – Operational Phase 14. Electronic Signature(s) – Acceptable on electronic records, allowed if they: a. have the same impact as hand-written signatures within the boundaries of the company, b. are be permanently linked to their respective record, c. include the time and date that they were applied. 15. Batch release – If a computerized system is used for batch release, it must use e-signatures and a QP must do the signing 16. Business Continuity – Required (paper backup?) 17. Archiving – Data ―may‖ be archived? If it is, the archive must be tested, etc. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 20Subject: R&D Eng. Infrastructure Assurance TM
  21. 21. Annex 11 – Glossary • Application • Bespoke/Customized computerized system • Commercial, off-the-shelf software • IT Infrastructure • Life cycle • Process owner • System owner • Third Party Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 21Subject: R&D Eng. Infrastructure Assurance TM
  22. 22. Recent Observations In the Field: November 2011 • 10,000+ employee manufacturer / service company in regulated industries – Defense, Aerospace, Telecom, etc. • Inventory control and tracking experts – Automated warehouse, barcodes, RFID, etc. • Moving into Pharmaceutical / Medical Device – Learning curve on 21 CFR 11, VV&Q, etc. • Major findings by ―Big Pharma‖ audit teams: – SDLC, Training Records, Device History Records, CAPA, Change Control, Document Management Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 22Subject: R&D Eng. Infrastructure Assurance TM
  23. 23. Recent Observations In the Field: July 2011 THE UNITED STATES ATTORNEY’S OFFICE FOR IMMEDIATE RELEASE of NEW JERSEY July 1, 2011 DISTRICT Former Shionogi employee arrested, charged with hack attack on company serversNEWARK, N.J. – A Georgia man who allegedly froze the operations of a New Jerseypharmaceutical company where he had worked by deleting portions of its computer network hasbeen federally charged in connection with the alleged attack, U.S. Attorney Paul J. Fishmanannounced.Jason Cornish, 37, of Smyrna, Ga., was arrested this morning near his residence by special agentsof the FBI on a Complaint charging him with knowingly transmitting computer code with theintent to damage computers in interstate commerce. He is expected to make an initial appearancethis afternoon before US. Magistrate Judge Janet F. King in Atlanta federal court. Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 23Subject: R&D Eng. Infrastructure Assurance TM
  24. 24. Recent Observations In the Field: March 2011 • FDA CDER withholds Pre-Approval Inspection for Manufacturing Facility • FDA Inspectional Findings Inspection found that NMR testing files could be deleted. • Also, no audit trail for the spectra acquired by the NMR. • No audit trail for computer system running heparin purity test – I.e., Lot release criteria Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 24Subject: R&D Eng. Infrastructure Assurance TM
  25. 25. March 2011, FDA CDER PAI Withhold • Electronic data is the original raw data. • Firm stated that they had used the hardcopy data as official information and it was archived. • Investigator audited electronic files, and found multiple electronic spectra with no corresponding spectra in the hardcopy archive. • NMR instrument also not qualified. – no IQ, OQ, or PQ Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 25Subject: R&D Eng. Infrastructure Assurance TM
  26. 26. Thanks! Any Questions? Thomas Quinn, CISSP, AAA The Hollis Group, Inc. PO Box 187 Paoli, PA 19301 v - 610-889-7350 f - 610-296-2314 www.hollisgroup.com tquinn@hollisgroup.com Dept. App. The Hollis Reg. Aff. Group, Inc. QA Manuf. Purch. Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 26Subject: R&D Eng. Infrastructure Assurance TM

×