21 CFR Part 11 Rules for complying with the rules Marilyn M. Marshall QAO Office of the Vice-President for Research Lindy Brigham March 30, 2006
The Rules • The rules and your lab • The rules and your business • The rules • Your role in interpreting the rules
Rules and Research Labs • Good research requires good laboratory practices • Ho, experimental design, proceedures • Equipment maintenance • Employee training • Data Collection • Record keeping
Rules and Business • The same concepts apply to industry research PLUS • Safety issues for consumers • Efficacy expectations • But the time and money constraints are very different in industry • “From industry’s perspective, it is a big challenge to understand how it can combine compliance with improving business performance”
The Business of Compliance • How you bring new products to market, how you produce your existing product offerings and how you maintain your competitive advantage will all be impacted by the timeliness of your reaction to 21CFR11. • The drama will be played-out in both the medicine cabinets of consumers and in the boardrooms of Wall Street. • 21CFR11 & Better Business Practices: Moving Beyond Compliance by Robert Yeager, President, Intellution Inc.
Intellution wants YOUR business • The FDA tells you that you MUST comply with 21CFR11 • Intellution shows you why you’ll WANT TO comply
Compliance Requirements • Record keeping • Submissions to the Regulatory Agencies to show compliance • The Government Paperwork Elimination Act
The Government Paperwork Elimination Act • The focus of the GPEA is to promote the doing of business electronically, with the public and otherwise. • The GPEA (P.L. 105-277) took effect on October 21, 1998. • Under the GPEA persons required to submit information to the government, or maintain information, must be given the option to do so electronically when practicable.
21 CFR Part 11 • 21 CFR 11 defines the criteria under which the FDA will accept electronicrecords and electronic signatures as equivalent to paper-based records and handwritten signatures. • ERES – Everybody Run, Everybody Scream
Intent • The 21 CFR 11 criteria are designed to: • prevent accidental alterations to electronic records • deter deliberate falsification • and help detect such changes when they do occur.
Subpart A – scope, implementation, definitions • Subpart B – electronic records • Subpart C – electronic signatures
Scope • applies to records in electronic form that are • created, • modified, • maintained, • archived, • retrieved, or • transmitted,. • under any records requirements set forth in agency regulations
Electronic Record • any combination of text, graphics, data, audio, pictorial, or other information in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system
Electronic Signature • a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature
Applicability of 21CFR11 • Is the record or signature electronic? • Is the record or signature required by an existing FDA regulation (predicate rule), or by an SOP • Is the record or signature for submission to the Agency, or in support of that submission?
Predicate Rules • Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.). • The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc. • If there is no FDA requirement that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.
The term “Predicate Rule” is NOT used in the 21 CFR Part 11 Final Rule. • The term “Predicate Rule” is used in the Part 11 Guidance for Industry document(s)
Your role in interpreting the rules • The FDA has acknowledged that a “one size fits all” interpretation of regulations, such as 21FCR11, is not feasible. • The onus of regulatory interpretation is on the organization being regulated • Organizations must now justify their course of action based on their interpretation of the regulations, as well as any risk associated with those actions
Are you in compliance? • Risk-Based Assessment
Definition of Risk (IEEE) • A measure of the probability and severity of undesired effects, often as the simple product of probability and consequence.
Definition of Risk Assessment • A systematic evaluation of the risk of a process by determining • what can go wrong (risk identification) • how likely is it to occur (risk estimation) • and what the consequences are.
Part 11 Scope and Application Guidance “We (FDA) recommend that you base your approach on a justified and documented risk assessmentand a determination of the potential of the system to affect productquality, safety, & record integrity.”
Part 11 Scope and Application Guidance “We (FDA) suggest that your decision on how to maintain records be based onpredicate rule requirements and on a justified and documented risk assessment and a determination of value of the records over time.”
Good Practices For Computerised Systems In Regulated “GXP” Environments • A risk-based approach is one way to demonstrate that you have applied a controlled methodology, to determine the degree of assurance that a computerised system is fit for it’s intended purpose.
Consequences (Severity) of Risk If a system should fail to be fit for its intended use, what would be the impact: • Public Health and Safety – Death, Injury, Illness • Product Quality and Safety – Adulteration, Defective • Compliance – Warning Letter, 483, Study Non-compliance • Business Continuation – Out of Business, Loss of Business • Operation – Delay of project, Operator frustration
Risk Impacts • Critical/ Non-critical • Low/ Medium/ High • Defined and Quantifiable number (e.g. 1-3 or 1-10)
Examples of Systems High Risk: • Manufacturing Batch Records • Patient Records • Laboratory Test Results • LIMS and QA systems Low Risk: • Environmental Monitoring Records (not affecting product quality) • Training Records • Master Schedule System
Methods of Determining Risk High Level RiskFailure of the system • May cause harm to patients, and there is no correction possible • Has significant impact on business operations for several days Medium Level RiskFailure of the system • Can cause harm to patients, but the failure is likely to be able to be corrected • Has potential impact on business operations for a few days Low Level RiskFailure of the system • Will not cause harm to patients • Will cause negligible impact to business operations
Methods of Determining Risk Probability Impact
Methods of Determining Risk Failure Mode Effects Analysis (FMEA) Type Method Severity • 3 = High Impact • 2 = Medium Impact • 1 = Low Impact Occurrence • 3 = High Probability of Occurring • 2 = Medium Probability of Occurring • 1 = Low Probability of Occurring Detection • 3 = High Probability of Going Undetected • 2 = Medium Probability of Going Undetected • 1 = Low Probability of Going Undetected (Failure will be easily detected)
Methods of Determining Risk • Risk Value = Severity X Occurrence X Detection e.g. High Severity X High Occurrence X Low Chance of Detection (High Risk) Risk Value = 3 X 3 X 3 = 27 Med Severity X Med Occurrence X Low Chance of Detection (High Risk) Risk Value = 2 X 2 X 3 = 12 Low Severity X Low Occurrence X High Chance of Detection (Low Risk) Risk Value = 1 X 1 X 1 = 1 Med Severity X High Occurrence X High Chance of Detection (Low Risk) Risk Value = 2 X 3 X 1 = 6 • This Methods Makes It Easier To Prioritize & • Clearly Identifies The Higher Risk Systems!
Evaluating Risk Factors Need for Validation: • High Level Risk Assessment • Major Functionalities of the System • Identified Associated Risk Extent of Validation: • More Detailed Assessment • Sub-functions and User Requirements • Impact of Risk related to those Functions Need and Extent of Audit Trail: • Impact of Risk Resulting from Accidental or Intentional Adverse Events • Traceability and Integrity of Records Method of Record Retention: • Impact from Loss of Record vs. Impact on Record Retrievability (by not using electronic capabilities).
Examples of Justification of Risk Factors Risk to Human Health & Safety = Low • <Company> is not involved in the analysis of final drug or biological product, drug substance, active pharmaceutical ingredients (APIs), or in the final testing of medical device performance or combination products. The direct risk to human health and safety therefore is determined to be minimal.
Examples of Justification of Risk Factors Part 11 Applicability = Low • <> has identified the hardcopy paper records as the primary raw data. Only in cases where reprocessing is necessary will the electronic raw data file be used. Electronic records maintained in non-instrument related databases (e.g. sample tracking system, sample labeling, training documentation) are entered from original paper documentation which is maintained and archived in secure facility files.
Examples of Justification of Risk Factors Risk of Data Corruption = Low • The risk and probability of unintentional corruption of electronic records is considered to be low based on the level of education, skill, and training of the staff. Computerized systems are qualified and validated to assure proper performance of the system for its intended use. In most cases, paper records are available for the reconstruction of the data.
References Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application, CDER, August 2003www.fda.gov/cder/guidance/5667fnl.pdf Guidance for Industry Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations DRAFT, September 2004www.fda.gov/cber/gdlns/qualsystem.pdf Good Practices For Computerised Systems In Regulated “GXP” Environments PIC/S GUIDANCE PI 011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems.pdf FDA Glossary of Computerized System and Software Development Terminologywww.fda.gov/ora/inspect_ref/igs/gloss.html The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures – Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf ISPE Risk-Based Approach to 21 CFR Part 11www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm
References (con’t) Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application, CDER, August 2003www.fda.gov/cder/guidance/5667fnl.pdf Guidance for Industry Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations DRAFT, September 2004www.fda.gov/cber/gdlns/qualsystem.pdf Good Practices For Computerised Systems In Regulated “GXP” Environments PIC/S GUIDANCE PI 011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI%20011-2%20Recommendation%20on%20Computerised%20Systems.pdf FDA Glossary of Computerized System and Software Development Terminologywww.fda.gov/ora/inspect_ref/igs/gloss.html The Impact of the Guidance for Industry Part 11 , Electronic Records, Electronic Signatures – Scope and Application White Paper, Robert J. Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/company/Impact%20of%20New%20Part%2011%20Guidance.pdf ISPE Risk-Based Approach to 21 CFR Part 11www.ispe.org/Template.cfm?Section=Search&CONTENTID=9020&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Risk Management • Risk Assessment - Assess Potential Risks and Consequences • Risk Identification – Identify the Potential Risks • Risk Estimation – Determine the Likelihood that the Risk will Occur • Risk Impact – Determine the Potential Impact of the Risk • Risk Detection – Determine the Detectibility of the Risk • Risk Classification – Define & Quantify Risk Level • Risk Analysis – Determine Cost/Benefit Analysis • Risk Mitigation/Avoidance – Determine Risks which can be Lessened or Avoided • Risk Strategy - Determine and Document Strategies for Managing Risk • Risk Monitoring – Monitor Changes, New Risks, Risk Levels & Update Risk Plans