21 CFR Part 11 Regulatory Overview and What’s New with the FDA Presented by: Frederick J. Sperry Validation Manager NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Agenda Regulatory History Regulation Applicability E-Record Requirements Review E-Signature Requirements Review What’s New With FDA Enforcement Q&A NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulatory History 1997 – 21 CFR Part 11; Final Rule 1997-2002 – Enforcement, 6 Draft Guidances Issued 2003 – Previous Guidances Withdrawn 2003 – Guidance on Scope and Application (Kindler – Gentler Part 11) cGMPS for 21st Century Enforcement discretion NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulatory History Enforcement Discretion – what did that mean? Agency has not generally enforced certain Part 11 requirements without other issues Guidance does not carry the weight of law Systems and applications still must meet predicate rule requirements The use of a System or Application Risk Assessment is a good tool to identify and focus on key issues associated with compliance to predicate rules. NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulatory History Risk Assessment Basics for Part 11 Determining the Need for a Control Determining the Type of Control to be Implemented Factors for Consideration Impact on Product Quality and / or Public Health Likelihood of Risk Scenario impacting product or status reporting or release data Identify any Mitigating Factors – extra testing or procedural controls NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulatory History The Future Revision to Part 11 eventually But hasn’t been a priority Current Part 11 regulations continue to be enforceable Enforcement likely to reflect current thinking from latest guidance New Inspectional Guidance Process To assess compliance in Industry Post Inspections, expect Part 11 to be revisited NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Why is Part 11 necessary? Paper Records / Handwritten Sigs E-Records / E-Signatures (+) Fixed Representation (+) Durable (+) Changes Very Evident (+) Copies Evident (+) Signatures Hard to Forge (-) Need Storage Space (-) Inefficiency of Search / Sharing (+) Global Sharing (+) Rapid Analysis and Search (+) Efficient Review and Approval (-) Changes / Copies Not Evident (-) Selective Data Views (-) Higher Possibility of Data Loss (-) Easy to Forge Signatures NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Electronic records used to meet record keeping requirements of FDA regulations Example Predicate Requirements: §211.188 – “Batch production and control records shall be prepared for each batch of drug product…” §820.30(j) – “Design history file. Each manufacturer shall establish and maintain a DHF for each type of device.” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Building Management Systems (BMS) Calibration Management Systems (CMS) Maintenance Management Systems (MMS) Manufacturing Execution Systems (MES) Enterprise Resource Planning (ERP) Distributed Control Systems (DCS) SCADA and PLC Systems Chromatography Data Acquisition Systems Environmental Monitoring Systems (EMS) Lab Information Management Systems (LIMS) Stability Systems DM & PK Systems NOTES: _________________________________________________________ ________________________________________________________________ _ Training Record Systems Electronic Submission Systems Sales Force Automation Systems (SFA) Standard Operating Procedure Systems Document Management Systems (DMS) Case Report Form Systems Clinical Data Management Systems Statistical Analysis Software (e.g., SAS) Adverse Event Reporting Systems (AERS) ©QPharma 2010
Regulation Applicability Paper vs. Electronic Records Previous Interpretation Regulated data written in non-temporary form to tangible media is an electronic record with Part 11 impact True even if records were printed and paper was called the “official” copy 2003 Guidance Electronic records are exempt from Part 11 if only paper versions of the electronic records are used for regulated activities NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Paper vs. Electronic Records Key Points for Exemption Still responsible for ensuring data integrity from creation to printing Once hardcopy is generated, electronic records cannot be used for any regulated purpose – even as a backup in case paper is lost Decision to use paper (or electronic records) should be documented Should have procedures and training indicating electronic records not to be used after printing Preferable to purge electronic records after printing NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Legacy Systems Previous Interpretation No grandfathering of systems Even if a system was in place before Part 11 was legally enforceable, Part 11 still applies effective August 20, 1997 2003 Guidance Enforcement discretion for legacy systems Part 11 will not be enforced for systems that were in production prior to August 20, 1997 NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Legacy Systems Key Points for Legacy Exemption System must have met all predicate rule requirements prior to August 20, 1997 The system currently meets all predicate rule requirements Documented evidence and justification exists that the system meets its intended use (i.e., validation) No changes have been made to the system that prevent the system from meeting predicate rule requirements NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Electronic Signatures Previous Interpretation Part 11 applies to all electronic signatures used to meet the signature requirements of predicate rules and an organization’s internal procedures 2003 Guidance Part 11 does not apply to signatures required by internal procedures if there is no corresponding predicate rule requirement NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Signatures Types Handwritten Biometric Non-biometric Example Predicate Requirement §211.168(a) – “To ensure uniformity from batch to batch, master production and control records for each drug product, including each batch size thereof, shall be prepared, dated, and signed…” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Hybrid Systems Combination of Electronic and Hardcopy Components Maintain data electronically – print and sign a hardcopy Raw data maintained electronically – derived data printed (and possibly signed) NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Regulation Applicability Which Sections of the Regulation Apply? NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(a) – Validation Previous Interpretation If Part 11 applies to a system, it must be validated 2003 Guidance Enforcement discretion for this requirement The need for validation is determined by predicate rule requirements and documented risk assessment Even if no predicate requirement, may still be important to validate to determine if system meets its intended use NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(a) – Validation FDA Cited Validation References General Principles of Software Validation; Final Guidance for Industry and FDA Staff GAMP 4 or 5 Guide for Validation of Automated Systems Example Predicate Requirement: §820.70(i) – “Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(b) – Copies of Records Previous Interpretation It must be possible to provide complete and accurate copies of all electronic records and associated metadata to FDA in both hardcopy and electronic format Converted formats must have same search, sort and trend operations as original records 2003 Guidance Enforcement discretion - Agency investigators must be afforded reasonable and useful access to records in accordance with predicate rules Preserve content and meaning NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(b) – Copies of Records Example Predicate Requirement: §820.180 – “All records required by this part shall be maintained at the manufacturing establishment or other location that is reasonably accessible to responsible officials of the manufacturer and to employees of FDA designated to perform inspections. Such records, including those not stored at the inspected establishment, shall be made readily available for review and copying by FDA employee(s). Such records shall be legible and shall be stored to minimize deterioration and to prevent loss. Those records stored in automated data processing systems shall be backed up.” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(c) – Record Retention Previous Interpretation Electronic records must be protected such that accurate copies could be readily provided throughout retention period If created electronically, records must be maintained electronically Archived records must have same search, sort and trend operations as original records NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(c) – Record Retention 2003 Guidance Enforcement discretion for this requirement Records must be retained in accordance with predicate rules Retained records must preserve content and meaning of the original records Records may be archived to non-electronic format such as paper, microfilm, or microfiche NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(c) – Record Retention Example Predicate Requirements: §211.180(a) – “Any production, control, or distribution record that is required to be maintained in compliance with this part and is specifically associated with a batch of a drug product shall be retained for at least 1 year after the expiration date of the batch or, in the case of certain OTC drug products lacking expiration dating because they meet the criteria for exemption under 211.137, 3 years after distribution of the batch.” §820.180 – “Such records shall be legible and shall be stored to minimize deterioration and to prevent loss.” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(d) – Security Limit access to authorized individuals Physical security Logical security Backend file / database access NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(e) – Audit Trail Previous Interpretation A secure, computer generated, time-stamped audit trail is required for all operator actions that create, modify or delete e-records Audit trail must retain a full history of changes made to the record 2003 Guidance Enforcement discretion for this requirement Need for audit trail and the form it takes is determined by predicate rule requirements and documented risk assessment Even if no predicate requirement, may still be important to have audit trail to ensure trustworthiness and reliability of records NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(e) – Audit Trail Example Predicate Requirement: §58.130(e) – “Any change in entries shall be made so as not to obscure the original entry, shall indicate the reason for such change, and shall be dated and signed or identified at the time of the change..” NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(f) – Operational System Checks System enforces logical sequencing of events (where applicable) §11.10(g) – Authorization Checks Access to functionality limited to user role §11.10(h) –Device Checks Ensure sources of data input are properly identified and verified (where applicable) NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements §11.10(i) – Training System developers, administrators and users must be properly trained §11.10(j) – Accountability Accountability policies for user actions in the system §11.10(k) – Documentation Controls Control over distribution, access and use of system docs Revisioning procedures for system documentation NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Record Requirements Open vs. Closed Systems Closed System The access to the data in the system stay within owner’s control Open System The system access is not controlled by persons who are responsible for the data §11.30 – Open System Controls Additional controls to ensure authenticity, integrity, and confidentiality of records Encryption Digital signatures NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Signature Requirements §11.50 – Signature Manifestation Signature information associated with record must appear in all human readable forms Printed name of signer Date and time of signing Meaning of the signature §11.70 – Signature Linkage Signature must be securely linked to electronic records such that the signature cannot be excised, copied, or transferred by ordinary means Includes handwritten signatures executed to electronic records NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Signature Requirements §11.100 – General Requirements (a) Signature must be unique to one individual (b) Identity verification required prior to electronic signature access and release (c) Certify use of electronic signatures to FDA NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Signature Requirements §11.200 – Electronic Signatures Components and Controls (a)(1) Non-biometric signatures must employ at least two distinct components (a)(1)(i) Must enter all components during first signing of continuous session – must enter one private component on subsequent signings (a)(1)(ii) Must enter all components during non-continuous session System inactivity lock out NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Signature Requirements §11.200 – Electronic Signature Components and Controls (a)(2) E-sigs may only be used by genuine owner (a)(3) Collaboration would be necessary for non-owner to use signature System admin cannot view passwords (b) Biometrics can only be used by genuine owners Resolution of scan to avoid false positives NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
E-Signature Requirements §11.300 – Controls for ID Codes / Passwords (a) ID Code / Password combo must be unique (b) Password aging is required (c) Loss management for devices (d) Transaction safeguards Lock out after N failed attempts Immediate (reasonable) notification to security (e) Device testing NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
FDA New Part 11Initiative The FDA’s Next Step Presented at ISPE Washington conference By: Center for Drug Evaluation and Research (CDER) Agency to re-examine 21 CFR Part 11 as currently implemented in industry Company Drug inspectional assignments will include a Part 11 Requirements component Compare requirements in Part 11 Scope & Application guidance published in August of 2003 with actual implemented systems. ©QPharma 2010
FDA New Part 11Initiative Purpose of Inspections: To evaluate industry’s compliance and current understanding of Part 11 In light of the enforcement discretion described in the 2003 Scope of Application Guidance Inspectional Note: CDER intends to take appropriate enforcement action to Part 11 requirements for serious predicate rule issues raised during the inspections ©QPharma 2010
FDA New Part 11Initiative In Summary The FDA will evaluate industry compliance with Part 11 Regulation Inspections performed in light of the enforcement discretion described in the scope of application guidance – issued August 2003 CDER intends to take appropriate action to enforce Part 11 requirements for issues raised during inspections. FDA may use the inspectional findings as a part of the re-evaluation of the 21 CFR Part 11 Regulation and Guidance documents. ©QPharma 2010
Questions NOTES: _________________________________________________________ ________________________________________________________________ _ ©QPharma 2010
Thank you!: Fred Sperry Validation Manager QPharma, Inc. 22 South Street Morristown, NJ 07960 (973) 656-0011 x2028 (973) 656-0408 (FAX) frederick.sperry@qpharmacorp.com http://www.qpharmacorp.com ©QPharma 2010