Title: 21 CFR Part 11 A Risk Management Perspective
121 CFR Part 11 A Risk Management Perspective
Patrick D. Roche 07 March 2003, Washington D.C.
2Proposed Agenda
- Recent 21 CFR Part 11 Developments
- Risk Management Perspective
- Potential Integration with other Legislation
- Examples
- Conclusion
3Recent Developments
- CDER is now responsible for enforcement of 21 CFR
Part 11 - All previous Part 11 guidance has been withdrawn
- New draft guidance has been provided
- Draft guidance acknowledges that
- Statements made by agency staff may have been
misinterpreted as policy - The use of technology has been restricted,
contrary to the agencys intent - The cost of compliance far exceeds the agencys
expectations - Part 11 has discouraged innovation without a
significant public health benefit
4Recent Developments
- Part 11 is being re-examined and may be revised
- Certain areas will be subject to enforcement
discretion (validation, audit trails, record
retention and record copying) - All other areas will continue to be enforced
5Recent Developments
- Narrow Scope Part 11 applies when persons
choose to use records in electronic format in
place of paper records - Decisions to rely on paper or electronic records
should be documented - Audit Trail
- A risk-based approach should be followed where
audit trails are not required by predicate rules - Focus on adds, changes or deletions of records
that impact quality, safety and efficacy - Validation
- A risk-based approach should be followed where
validation is not required by predicate rules - Word processing software that is used to create
paper-based SOPs would likely not require
validation - Copies of records
- Record Retention - Risk Assessment driven
6Recent Developments
- There are wide ranging opinions regarding what
these changes mean - Key messages
- Part 11 is not going to go away
- The changes should not significantly modify your
approach - One size does not fit all
- Focus on risk management an effective internal
control structure that protects product safety,
quality and efficacy
7Risk Management Perspective
- Everything is not important only those things
that impact quality, safety or efficacy - Risk anything that can prevent an objective
from being met - Consider an ORCA Approach
- Analyze Business Process
- Understand Quality Related Objectives
- What are the Risks that could impact the
objectives? - What Controls must be established to mitigate the
risks? - Validation provides evidence that the controls
are in place and Aligned with objectives and
risks - If system based controls are not in place, what
other mitigating controls can be established? - Document risk assessment and decision process
8Linkage of 21 CFR Part 11 with COSO and Sarbanes
Oxley
COSO Structure
COSO Component
Business Process
Transaction
Transaction
Control Objective
Control Objective
Risk
Issue
Risk
Control Activity
Action Plan
Control Activities
Testing
9Examples
- Business Process Procurement
- IT Infrastructure
10Procurement - Example
11Procurement Vendor Qualification
Vendor Evaluation and Qualification
Vendor Master Maintenance
Vendor Confirmation
Create Purchase Requisitions and Purchase Order
(PO)
Goods Receipt and Reconciliation
Material or Service Master Maintenance
Return to Vendor
Material Qualification
NO
YES
Contracts and Pricing
MT
Payment to Vendor
MT Material Traceability must be defined
after a material is accepted and qualified. This
includes the assignment of unique lot numbers
after receipt at a manufacturing site.
12People, Process and Technology
Processes
People
Technology
Vendor Setup in system
New Vendors are selected
Purchasing Personnel
SOP
System records Vendor Qualification details
New Vendors are Qualified by QM Personnel
Quality Management Personnel
Procurement of Raw Materials
Purchasing Personnel
Receipt of Goods
Warehouse Personnel
SOP
Material Qualification
Quality Management Personnel
System records Material Qualification details
SOP
Material Traceability- Assign Lot Numbers
Warehouse or Operations Personnel
Material lot numbers and tracking recorded in
the system
Purchasing Personnel
Payment generated from system
Vendor Payments
13Procurement Vendor Qualification
- Vendor Evaluation Qualification Controls
- Audit Trails for Vendor Qualification are
established, including appropriate electronic
record and signature requirements to meet 21 CFR
Part 11 - Vendor Qualification policies and procedures have
been established and implemented - Vendor Qualifications are restricted to
authorized personnel - Materials must be procured only from qualified
vendors - Quality procedures are distributed to approved
vendors on a regular basis and are included as
part of the negotiations for new external
sourcing arrangements - Associated Risk/Consideration
- Unauthorized vendors may be found in the Master
Vendor File - Materials may be procured from unqualified
vendors - Approved vendors may not meet FDA requirements
- Regulatory exposure
- Records of vendor qualification reviews and
results may be inappropriate or not exist
14Address Book Controls
- Vendor Address Book Maintenance Controls
- Restricted access to Vendor Master File
- Vendor Master File changes are tracked via an
associated audit trail - Electronic signatures and records are maintained
as appropriate for all Vendor Master Changes in
accordance 21 CFR Part 11 - Associated Risk/Consideration
- Unauthorized purchases may result
- Unauthorized payments to vendors may occur
- Duplicate Vendor Master records may exist
- Changes to vendor Master files may not be cGMP
compliant as accurate, traceable and approved - Regulatory exposure
15Example IT Infrastructure
16IT Infrastructure Example
17Conclusion
- Dont stop your Part 11 efforts
- Re-examine your approach in light of the new
guidance - Dont over complicate the process
- Think process and then technology
- Incorporate risk management concepts wherever
possible - Document risk assessment and decision processes
18Contact Information
- Patrick D. Roche,
- Florham Park, NJ
- (973)236-4844
19Pwc