marilyn m. marshall qao office of the vice-president for research lindy brigham march 30, 2006 21...
TRANSCRIPT
Marilyn M. Marshall QAO
Office of the Vice-President for Research
Lindy Brigham
March 30, 2006
21 CFR Part 11
Rules for complying with the rules
The Rules
The rules and your lab The rules and your business The rules Your role in interpreting the rules
Rules and Research Labs
Good research requires good laboratory practices
Ho, experimental design, proceedures Equipment maintenance Employee training Data Collection Record keeping
Rules and Business
The same concepts apply to industry research PLUS Safety issues for consumers Efficacy expectations
But the time and money constraints are very different in industry
“From industry’s perspective, it is a big challenge to understand how it can combine compliance with improving business performance”
The Business of Compliance
How you bring new products to market, how you produce your existing product offerings and how you maintain your competitive advantage will all be impacted by the timeliness of your reaction to 21CFR11.
The drama will be played-out in both the medicine cabinets of consumers and in the boardrooms of Wall Street.
21CFR11 & Better Business Practices: Moving Beyond Compliance by Robert Yeager, President, Intellution Inc.
Intellution wants YOUR business
The FDA tells you that you MUST comply with 21CFR11
Intellution shows you why you’ll WANT TO comply
Compliance Requirements
Record keeping Submissions to the Regulatory
Agencies to show compliance The Government Paperwork
Elimination Act
The Government Paperwork Elimination Act
The focus of the GPEA is to promote the doing of business electronically, with the public and otherwise.
The GPEA (P.L. 105-277) took effect on October 21, 1998.
Under the GPEA persons required to submit information to the government, or maintain information, must be given the option to do so electronically when practicable.
21 CFR Part 11
21 CFR 11 defines the criteria under which the FDA will accept electronic records and electronic signatures as equivalent to paper-based records and handwritten signatures.
ERES – Everybody Run, Everybody Scream
Intent
The 21 CFR 11 criteria are designed to: prevent accidental alterations to
electronic records deter deliberate falsification and help detect such changes when they
do occur.
Subpart A – scope, implementation, definitions
Subpart B – electronic records Subpart C – electronic signatures
Scope
applies to records in electronic form that are created, modified, maintained, archived, retrieved, or
transmitted, . under any records requirements set forth in
agency regulations
Electronic Record
any combination of text, graphics, data, audio, pictorial, or other information in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system
Electronic Signature
a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature
Applicability of 21CFR11
Is the record or signature electronic? Is the record or signature required by
an existing FDA regulation (predicate rule), or by an SOP
Is the record or signature for submission to the Agency, or in support of that submission?
Predicate Rules
Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.).
The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc.
If there is no FDA requirement that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.
The term “Predicate Rule” is NOT
used in the 21 CFR Part 11 Final Rule.
The term “Predicate Rule” is used in
the Part 11 Guidance for Industry
document(s)
Your role in interpreting the rules
The FDA has acknowledged that a “one size fits all” interpretation of regulations, such as 21FCR11, is not feasible.
The onus of regulatory interpretation is on the organization being regulated
Organizations must now justify their course of action based on their interpretation of the regulations, as well as any risk associated with those actions
Are you in compliance?
Risk-Based Assessment
Definition of Risk (IEEE)
A measure of the probability and severity of undesired effects, often as the simple product of probability and consequence.
Definition of Risk Assessment
A systematic evaluation of the risk of a process by determining
what can go wrong (risk identification)
how likely is it to occur (risk estimation)
and what the consequences are.
Part 11 Scope and Application Guidance
“We (FDA) recommend that you base your approach
on a justified and documented risk assessment
and a determination of the potential of the system
to affect product quality, safety, & record integrity.”
Part 11 Scope and Application Guidance
“We (FDA) suggest that your decision
on how to maintain records be based on
predicate rule requirements and on a
justified and documented risk assessment and
a determination of value of the records over time.”
A risk-based approach is one way to
demonstrate that you have applied a
controlled methodology, to determine the
degree of assurance that a computerised
system is fit for it’s intended purpose.
Good Practices For Computerised Systems In Regulated “GXP” Environments
Consequences (Severity) of Risk
If a system should fail to be fit for its intended use,
what would be the impact:
Public Health and Safety – Death, Injury, Illness
Product Quality and Safety – Adulteration, Defective
Compliance – Warning Letter, 483, Study Non-compliance
Business Continuation – Out of Business, Loss of Business
Operation – Delay of project, Operator frustration
Risk Impacts
Critical/ Non-critical
Low/ Medium/ High
Defined and Quantifiable number (e.g. 1-3 or 1-10)
Examples of Systems
High Risk: Manufacturing Batch Records Patient Records Laboratory Test Results LIMS and QA systems
Low Risk: Environmental Monitoring Records (not affecting
product quality)
Training Records Master Schedule System
Methods of Determining Risk
High Level RiskFailure of the system
May cause harm to patients, and there is no correction possible Has significant impact on business operations for several days
Medium Level RiskFailure of the system
Can cause harm to patients, but the failure is likely to be able to be corrected Has potential impact on business operations for a few days
Low Level RiskFailure of the system
Will not cause harm to patients Will cause negligible impact to business operations
Methods of Determining Risk
Low Medium High
LowL L M
MediumL M H
HighM H H
ProbabilityIm
pac
t
Methods of Determining Risk
Failure Mode Effects Analysis (FMEA) Type Method
Severity 3 = High Impact 2 = Medium Impact 1 = Low Impact
Occurrence 3 = High Probability of Occurring 2 = Medium Probability of Occurring 1 = Low Probability of Occurring
Detection 3 = High Probability of Going Undetected 2 = Medium Probability of Going Undetected 1 = Low Probability of Going Undetected (Failure will be easily detected)
Methods of Determining Risk
Risk Value = Severity X Occurrence X Detection
e.g. High Severity X High Occurrence X Low Chance of Detection (High Risk)
Risk Value = 3 X 3 X 3 = 27
Med Severity X Med Occurrence X Low Chance of Detection (High Risk)
Risk Value = 2 X 2 X 3 = 12
Low Severity X Low Occurrence X High Chance of Detection (Low Risk)
Risk Value = 1 X 1 X 1 = 1
Med Severity X High Occurrence X High Chance of Detection (Low Risk)
Risk Value = 2 X 3 X 1 = 6
This Methods Makes It Easier To Prioritize &
Clearly Identifies The Higher Risk Systems!
Evaluating Risk Factors
Need for Validation: High Level Risk Assessment Major Functionalities of the System Identified Associated Risk
Extent of Validation: More Detailed Assessment Sub-functions and User Requirements Impact of Risk related to those Functions
Need and Extent of Audit Trail: Impact of Risk Resulting from Accidental or Intentional Adverse Events Traceability and Integrity of Records
Method of Record Retention: Impact from Loss of Record vs. Impact on Record Retrievability (by not using
electronic capabilities).
Examples of Justification of Risk Factors
Risk to Human Health & Safety = Low
<Company> is not involved in the analysis of final drug or
biological product, drug substance, active pharmaceutical
ingredients (APIs), or in the final testing of medical device
performance or combination products. The direct risk to human
health and safety therefore is determined to be minimal.
Part 11 Applicability = Low
<> has identified the hardcopy paper records as the primary raw
data. Only in cases where reprocessing is necessary will the
electronic raw data file be used. Electronic records maintained
in non-instrument related databases (e.g. sample tracking
system, sample labeling, training documentation) are entered
from original paper documentation which is maintained and
archived in secure facility files.
Examples of Justification of Risk Factors
Examples of Justification of Risk Factors
Risk of Data Corruption = Low
The risk and probability of unintentional corruption of electronic
records is considered to be low based on the level of education,
skill, and training of the staff. Computerized systems are
qualified and validated to assure proper performance of the
system for its intended use. In most cases, paper records are
available for the reconstruction of the data.
References
Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application, CDER, August 2003www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations DRAFT, September 2004 www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated “GXP” Environments PIC/S GUIDANCE PI 011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems.pdf
FDA Glossary of Computerized System and Software Development Terminologywww.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures – Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm
References (con’t)
Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application, CDER, August 2003www.fda.gov/cder/guidance/5667fnl.pdf
Guidance for Industry Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations DRAFT, September 2004 www.fda.gov/cber/gdlns/qualsystem.pdf
Good Practices For Computerised Systems In Regulated “GXP” Environments PIC/S GUIDANCE PI 011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems.pdf
FDA Glossary of Computerized System and Software Development Terminologywww.fda.gov/ora/inspect_ref/igs/gloss.html
The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures – Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf
ISPE Risk-Based Approach to 21 CFR Part 11www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Risk Management
Risk Assessment - Assess Potential Risks and Consequences
Risk Identification – Identify the Potential Risks
Risk Estimation – Determine the Likelihood that the Risk will Occur
Risk Impact – Determine the Potential Impact of the Risk
Risk Detection – Determine the Detectibility of the Risk
Risk Classification – Define & Quantify Risk Level
Risk Analysis – Determine Cost/Benefit Analysis
Risk Mitigation/Avoidance – Determine Risks which can be Lessened or Avoided
Risk Strategy - Determine and Document Strategies for Managing Risk
Risk Monitoring – Monitor Changes, New Risks, Risk Levels & Update Risk Plans