21 CFR Part 11

1
21 CFR Part 11

• Rules for complying with the rules

Marilyn M. Marshall QAO Office of the
Vice-President for Research Lindy Brigham March
30, 2006
2
The Rules

• The rules and your lab
• The rules and your business
• The rules
• Your role in interpreting the rules

3
Rules and Research Labs

• Good research requires good laboratory practices
• Ho, experimental design, proceedures
• Equipment maintenance
• Employee training
• Data Collection
• Record keeping

4
Rules and Business

• The same concepts apply to industry research PLUS
• Safety issues for consumers
• Efficacy expectations
• But the time and money constraints are very
  different in industry
• From industrys perspective, it is a big
  challenge to understand how it can combine
  compliance with improving business performance

5
The Business of Compliance

• How you bring new products to market, how you
  produce your existing product offerings and how
  you maintain your competitive advantage will all
  be impacted by the timeliness of your reaction to
  21CFR11.
• The drama will be played-out in both the medicine
  cabinets of consumers and in the boardrooms of
  Wall Street.
• 21CFR11 Better Business Practices Moving
  Beyond Compliance by Robert Yeager, President,
  Intellution Inc.

6
Intellution wants YOUR business

• The FDA tells you that you MUST comply with
  21CFR11
• Intellution shows you why youll WANT TO comply

7
Compliance Requirements

• Record keeping
• Submissions to the Regulatory Agencies to show
  compliance
• The Government Paperwork Elimination Act

8
The Government Paperwork Elimination Act

• The focus of the GPEA is to promote the doing of
  business electronically, with the public and
  otherwise.
• The GPEA (P.L. 105-277) took effect on October
  21, 1998.
• Under the GPEA persons required to submit
  information to the government, or maintain
  information, must be given the option to do so
  electronically when practicable.

9
21 CFR Part 11

• 21 CFR 11 defines the criteria under which the
  FDA will accept electronic records and electronic
  signatures as equivalent to paper-based records
  and handwritten signatures.
• ERES Everybody Run, Everybody Scream

10
Intent

• The 21 CFR 11 criteria are designed to
• prevent accidental alterations to electronic
  records
• deter deliberate falsification
• and help detect such changes when they do occur.

11

• Subpart A scope, implementation, definitions
• Subpart B electronic records
• Subpart C electronic signatures

12
Scope

• applies to records in electronic form that are
• created,
• modified,
• maintained,
• archived,
• retrieved, or
• transmitted, .
• under any records requirements set forth in
  agency regulations

13
Electronic Record

• any combination of text, graphics, data, audio,
  pictorial, or other information in digital form
  that is created, modified, maintained, archived,
  retrieved, or distributed by a computer system

14
Electronic Signature

• a computer data compilation of any symbol or
  series of symbols executed, adopted, or
  authorized by an individual to be the legally
  binding equivalent of the individuals
  handwritten signature

15
Applicability of 21CFR11

• Is the record or signature electronic?
• Is the record or signature required by an
  existing FDA regulation (predicate rule), or by
  an SOP
• Is the record or signature for submission to the
  Agency, or in support of that submission?

16
Predicate Rules

• Any requirements set forth in the Act (Federal
  Food, Drug and Cosmetic Act), the PHS Act (Public
  Health Service Act), or any FDA regulation (GxP
  GLP, GMP, GCP, etc.).
• The predicate rules mandate what records must be
  maintained the content of records whether
  signatures are required how long records must be
  maintained, etc.
• If there is no FDA requirement that a particular
  record be created or retained, then 21 CFR Part
  11 most likely does not apply to the record.

17

• The term Predicate Rule is NOT used in the 21
  CFR Part 11 Final Rule.
• The term Predicate Rule is used in the Part 11
  Guidance for Industry document(s)

18
Your role in interpreting the rules

• The FDA has acknowledged that a one size fits
  all interpretation of regulations, such as
  21FCR11, is not feasible.
• The onus of regulatory interpretation is on the
  organization being regulated
• Organizations must now justify their course of
  action based on their interpretation of the
  regulations, as well as any risk associated with
  those actions

19
Are you in compliance?

• Risk-Based Assessment

20
Definition of Risk (IEEE)

• A measure of the probability and severity of
  undesired effects, often as the simple product of
  probability and consequence.

21
Definition of Risk Assessment

• A systematic evaluation of the risk of a
  process by determining
• what can go wrong (risk identification)
• how likely is it to occur (risk estimation)
• and what the consequences are.

22
Part 11 Scope and Application Guidance

• We (FDA) recommend that you base your
  approach on a justified and documented risk
  assessment and a determination of the potential
  of the system to affect product quality, safety,
  record integrity.

23
Part 11 Scope and Application Guidance

• We (FDA) suggest that your decision on how
  to maintain records be based onpredicate rule
  requirements and on a justified and documented
  risk assessment and a determination of value of
  the records over time.

24
Good Practices For Computerised Systems In
Regulated GXP Environments

• A risk-based approach is one way to demonstrate
  that you have applied a controlled methodology,
  to determine the degree of assurance that a
  computerised system is fit for its intended
  purpose.

25
Consequences (Severity) of Risk

• If a system should fail to be fit for its
  intended use, what would be the impact
• Public Health and Safety Death, Injury, Illness
• Product Quality and Safety Adulteration,
  Defective
• Compliance Warning Letter, 483, Study
  Non-compliance
• Business Continuation Out of Business, Loss of
  Business
• Operation Delay of project, Operator
  frustration

26
Risk Impacts

• Critical/ Non-critical
• Low/ Medium/ High
• Defined and Quantifiable number (e.g. 1-3 or 1-10)

27
Examples of Systems

• High Risk
• Manufacturing Batch Records
• Patient Records
• Laboratory Test Results
• LIMS and QA systems
• Low Risk
• Environmental Monitoring Records (not affecting
  product quality)
• Training Records
• Master Schedule System

28
Methods of Determining Risk

• High Level RiskFailure of the system
• May cause harm to patients, and there is no
  correction possible
• Has significant impact on business operations for
  several days
• Medium Level RiskFailure of the system
• Can cause harm to patients, but the failure is
  likely to be able to be corrected
• Has potential impact on business operations for a
  few days
• Low Level RiskFailure of the system
• Will not cause harm to patients
• Will cause negligible impact to business
  operations

29
Methods of Determining Risk
Probability
  Low Medium High
Low L L M
Medium L M H
High M H H
Impact
30
Methods of Determining Risk

• Failure Mode Effects Analysis (FMEA) Type Method
• Severity
• 3 High Impact
• 2 Medium Impact
• 1 Low Impact
• Occurrence
• 3 High Probability of Occurring
• 2 Medium Probability of Occurring
• 1 Low Probability of Occurring
• Detection
• 3 High Probability of Going Undetected
• 2 Medium Probability of Going Undetected
• 1 Low Probability of Going Undetected (Failure
  will be easily detected)

31
Methods of Determining Risk

• Risk Value Severity X Occurrence X Detection
• e.g. High Severity X High Occurrence X Low Chance
  of Detection (High Risk)
• Risk Value 3 X 3 X 3 27
• Med Severity X Med Occurrence X Low Chance of
  Detection (High Risk)
• Risk Value 2 X 2 X 3 12
• Low Severity X Low Occurrence X High Chance of
  Detection (Low Risk)
• Risk Value 1 X 1 X 1 1
• Med Severity X High Occurrence X High Chance
  of Detection (Low Risk)
• Risk Value 2 X 3 X 1 6
• This Methods Makes It Easier To Prioritize
• Clearly Identifies The Higher Risk Systems!

32
Evaluating Risk Factors

• Need for Validation
• High Level Risk Assessment
• Major Functionalities of the System
• Identified Associated Risk
• Extent of Validation
• More Detailed Assessment
• Sub-functions and User Requirements
• Impact of Risk related to those Functions
• Need and Extent of Audit Trail
• Impact of Risk Resulting from Accidental or
  Intentional Adverse Events
• Traceability and Integrity of Records
• Method of Record Retention
• Impact from Loss of Record vs. Impact on Record
  Retrievability (by not using electronic
  capabilities).

33
Examples of Justification of Risk Factors

• Risk to Human Health Safety Low
• ltCompanygt is not involved in the analysis of
  final drug or biological product, drug substance,
  active pharmaceutical ingredients (APIs), or in
  the final testing of medical device performance
  or combination products. The direct risk to
  human health and safety therefore is determined
  to be minimal.

34
Examples of Justification of Risk Factors

• Part 11 Applicability Low
• ltgt has identified the hardcopy paper records as
  the primary raw data. Only in cases where
  reprocessing is necessary will the electronic raw
  data file be used. Electronic records
  maintained in non-instrument related databases
  (e.g. sample tracking system, sample labeling,
  training documentation) are entered from original
  paper documentation which is maintained and
  archived in secure facility files.

35
Examples of Justification of Risk Factors

• Risk of Data Corruption Low
• The risk and probability of unintentional
  corruption of electronic records is considered to
  be low based on the level of education, skill,
  and training of the staff. Computerized systems
  are qualified and validated to assure proper
  performance of the system for its intended use.
  In most cases, paper records are available for
  the reconstruction of the data.

36
References

• Guidance for Industry Part 11, Electronic
  Records Electronic Signatures Scope and
  Application, CDER, August 2003www.fda.gov/cder/g
  uidance/5667fnl.pdf
• Guidance for Industry Quality Systems Approach
  to Pharmaceutical Current Good Manufacturing
  Practice Regulations DRAFT, September 2004
  www.fda.gov/cber/gdlns/qualsystem.pdf
• Good Practices For Computerised Systems In
  Regulated GXP Environments PIC/S GUIDANCE PI
  011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI
  20011-220Recommendation20on20Computerised20Sy
  stems.pdf
• FDA Glossary of Computerized System and Software
  Development Terminologywww.fda.gov/ora/inspect_re
  f/igs/gloss.html
• The Impact of the Guidance for Industry Part 11 ,
  Electronic Records, Electronic Signatures
  Scope and Application White Paper, Robert J.
  Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/co
  mpany/Impact20of20New20Part201120Guidance.pdf
  
• ISPE Risk-Based Approach to 21 CFR Part
  11www.ispe.org/Template.cfm?SectionSearchCONTEN
  TID9020TEMPLATE/ContentManagement/ContentDispla
  y.cfm

37
References (cont)

• Guidance for Industry Part 11, Electronic
  Records Electronic Signatures Scope and
  Application, CDER, August 2003www.fda.gov/cder/g
  uidance/5667fnl.pdf
• Guidance for Industry Quality Systems Approach
  to Pharmaceutical Current Good Manufacturing
  Practice Regulations DRAFT, September 2004
  www.fda.gov/cber/gdlns/qualsystem.pdf
• Good Practices For Computerised Systems In
  Regulated GXP Environments PIC/S GUIDANCE PI
  011-21 July 2004www.picscheme.org/BAK/docs/pdf/PI
  20011-220Recommendation20on20Computerised20Sy
  stems.pdf
• FDA Glossary of Computerized System and Software
  Development Terminologywww.fda.gov/ora/inspect_re
  f/igs/gloss.html
• The Impact of the Guidance for Industry Part 11 ,
  Electronic Records, Electronic Signatures
  Scope and Application White Paper, Robert J.
  Finamore CSSC, Inc Sept 4, 2003www.csscinc.net/co
  mpany/Impact20of20New20Part201120Guidance.pdf
  
• ISPE Risk-Based Approach to 21 CFR Part
  11www.ispe.org/Template.cfm?SectionSearchCONTEN
  TID9020TEMPLATE/ContentManagement/ContentDispla
  y.cfm

38
Risk Management

• Risk Assessment - Assess Potential Risks and
  Consequences
• Risk Identification Identify the Potential
  Risks
• Risk Estimation Determine the Likelihood that
  the Risk will Occur
• Risk Impact Determine the Potential Impact of
  the Risk
• Risk Detection Determine the Detectibility of
  the Risk
• Risk Classification Define Quantify Risk
  Level
• Risk Analysis Determine Cost/Benefit Analysis
• Risk Mitigation/Avoidance Determine Risks which
  can be Lessened or Avoided
• Risk Strategy - Determine and Document Strategies
  for Managing Risk
• Risk Monitoring Monitor Changes, New Risks,
  Risk Levels Update Risk Plans