Addressing Common Misconceptions About 21 CFR Part 11
-
Upload
forte-research-systems -
Category
Technology
-
view
769 -
download
0
description
Transcript of Addressing Common Misconceptions About 21 CFR Part 11
Addressing Common Misconceptions
About 21 CFR Part 11by
Robert J. FinamoreDirector, IT Compliance and Validation
2
What is 21 CFR Part 11?Establishes requirements to
ensure Electronic Records and Electronic Signatures have equivalent controls for authenticity, integrity, accountability, and confidentiality as for hardcopy records and signatures.
I heard the FDA isno longer enforcing
21 CFR Part 11.
4
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Part 11 Guidance onScope and Application
Chart Title
5
• Predicate Rules• Risk Management
Narrow Scope
• Validation• Audit Trails• Record Retention• Copies of Records
Enforcement Discretion
• “Note that part 11 remains in effect”
Clarification
6
•Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified.
Part 58.130(
e)
•In such instances a written record of the program shall be maintained along with appropriate validation data.
Part 211.68(
b)
•A sponsor shall retain the records and reports required by this part for 2 years after a marketing application is approved for the drug...
Part 312.57(
c)
7
February 17, 2012 – Biochem Laboratories Inc.Your firm has failed to exercise appropriate controls over
computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 CFR 211.68(b)]. For example: a. Your firm did not put in place requirements for appropriate
usernames and passwords to allow appropriate control over data collected by your firm's computerized systems including UV, IR, HPLC, and GC instruments. All employees in your firm used the same username and password. In addition, you did not document the changes made to the software or data stored by the instrument systems. Without proper documentation, you have no assurance of the integrity of the data or the functionality of the software used to determine test results.
Example Citation
8
February 17, 2012 – Biochem Laboratories Inc. b. Your firm had no system in place to ensure appropriate
backup of electronic raw data and no standard procedure for naming and saving data for retrieval at a later date.
In your response, you state that you will maintain backup of electronic raw data and all technicians will have their own user identification (ID) and password. Your response, however, is inadequate because you do not describe how your firm intends to save and back-up the electronic raw data, nor whether your firm will implement audit trails on your computerized systems.
Example Citation (cont’d)
Part 11 does not apply to my computerized system.
10
RECORDS
SIGNATURES
11
§11.1 - Scope
This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations.
This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations.
12
21 CFR Part 312.62(b)Case histories. An investigator is required to prepare and
maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation on each individual administered the investigational drug or employed as a control in the investigation. Case histories include the case report forms and supporting data including, for example, signed and dated consent forms and medical records including, for example, progress notes of the physician, the individual's hospital chart(s), and the nurses' notes. The case history for each individual shall document that informed consent was obtained prior to participation in the study.
Example Predicate Regulation
LIFECYCLE
13
Follow the records!
Part 11 does not apply because we use paper as
our official records.
Guidance – Scope and Application
15
Part 11 Impact
E-Records used in lieu of Paper
E-Records used in addition to
Paper
No Part 11 ImpactE-records
incidental to creation of Paper
Only use Paper records
16
Considerations for using Paper as the Official recordIs E-record really incidental to
creation of paper?Still responsible for data integrity
from creation through printingDecision of paper vs. e-record
should be documentedCannot use paper as a back up
The system records my User ID and a time stamp when I click the Approve
button; that’s an Electronic Signature.
18
Audit Trail
• Provides history of a record• Creation• Modification• Deletion
• Automatically generated for all regulated records
Signature
• Intent to Authenticate a Record
• Legally binding• Requires
application of a signature
• Used to meet signing requirements of predicate regulations
19
21 CFR Part 50.27(a) Except as provided in 56.109(c), informed
consent shall be documented by the use of a written consent form approved by the IRB and signed and dated by the subject or the subject's legally authorized representative at the time of consent. A copy shall be given to the person signing the form.
Example Predicate Regulation
20
Signature Types
• Writing with a stylus is preserved• Handwritten signatures executed to electronic records
• Scanned image of a wet signature• Signing on a digitizing pad• Hybrid systems – e-record + wet signature
Handwritten
• Multi-component signature entry• E.g. User ID/Password
Non-Biometric
• Measurement of unique attributes of the signer
Biometric
The vendor sold me aPart 11 compliant system.
22
Compliance
Technology
Process• Intended Use• People• Procedures
Example Part 11 Requirements
23
Part 11 Requirement
Technical
Procedural
§11.10(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
§11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
§11.10(d) Limiting system access to authorized individuals.
The Vendor hosting thesystem is responsible
for compliance.
25
Record Owner• Ultimately Responsible for
Compliance
Vendor• Leverage Compliance for:
• Products• Services
Due Diligence
Due Diligence Activities
26
Onsite Assessment of Vendor – SDLC, QMS, and CSP procedures and controls
Development of Robust Service Level Agreement
Scheduling of Follow-up Assessments
Due Diligence Topics
SDLC/QMS
Development Practices
Testing Practices
Configuration Management
System Documentation
Release Management
Personnel Management
Vendor Management
Quality Improvement
Service Provider
Regulatory Knowledge
Security Management
Infrastructure Management
Support and Maintenance
Disaster Recovery
Core System Validation
Change Management
Resources
FDA Regulations(21 CFR Part 11
+ Predicate Regulations)
28
FDA Guidance Documents(Part 11 Scope & Application,
Computerized System in CI, and Electronic Source Documents)
GAMP 5 + GoodPractice Guides
(SDLC, QMS, Validation and Supplier Assessment Topics)
Questions
29
Thank you for your time!
Robert J. FinamoreDirector, IT Compliance and Validation
QPharma, Inc.
(973) 656-0011, Ex. [email protected]
30