PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C.

PricewaterhouseCoopers Proposed Agenda Recent 21 CFR Part 11 Developments Risk Management Perspective Potential Integration with other Legislation Examples Conclusion

PricewaterhouseCoopers Recent Developments CDER is now responsible for enforcement of 21 CFR Part 11 All previous Part 11 guidance has been withdrawn New draft guidance has been provided Draft guidance acknowledges that: Statements made by agency staff may have been misinterpreted as policy The use of technology has been restricted, contrary to the agency’s intent The cost of compliance far exceeds the agency’s expectations Part 11 has discouraged innovation without a significant public health benefit

PricewaterhouseCoopers Recent Developments Part 11 is being re-examined and may be revised Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying) All other areas will continue to be enforced

PricewaterhouseCoopers Recent Developments Narrow Scope – Part 11 applies when persons choose to use records in electronic format in place of paper records Decisions to rely on paper or electronic records should be documented Audit Trail –A risk-based approach should be followed where audit trails are not required by predicate rules –Focus on adds, changes or deletions of records that impact quality, safety and efficacy Validation –A risk-based approach should be followed where validation is not required by predicate rules –Word processing software that is used to create paper-based SOPs would likely not require validation Copies of records Record Retention - Risk Assessment driven

PricewaterhouseCoopers Recent Developments There are wide ranging opinions regarding what these changes mean Key messages: Part 11 is not going to go away The changes should not significantly modify your approach One size does not fit all Focus on risk management – an effective internal control structure that protects product safety, quality and efficacy

PricewaterhouseCoopers Risk Management Perspective Everything is not important – only those things that impact quality, safety or efficacy Risk – anything that can prevent an objective from being met Consider an ORCA Approach Analyze Business Process Understand Quality Related Objectives What are the Risks that could impact the objectives? What Controls must be established to mitigate the risks? Validation provides evidence that the controls are in place and Aligned with objectives and risks If system based controls are not in place, what other mitigating controls can be established? Document risk assessment and decision process

PricewaterhouseCoopers Linkage of 21 CFR Part 11 with COSO and Sarbanes Oxley COSO Structure COSO Component Business Process Transaction Control Objective Risk Control Activities Transaction Control Objective Risk Control Activity Issue Action Plan Testing

PricewaterhouseCoopers Examples Business Process – Procurement IT Infrastructure FunctionSub- Process ObjectiveRisksImpact ProcurementCreate a purchase order Purchases can only be sourced to qualified vendors  Appropriate controls are not established to ensure that vendors are qualified.  Vendor master file controls have not been established to prevent purchases from unqualified vendors  No Vendor Audit Program in Place Variation in quality of product Rejection of product Inventory shortages Impact on quality and safety

PwC Procurement - Example

PricewaterhouseCoopers Procurement & Vendor Qualification Vendor Evaluation and Qualification Vendor Master Maintenance Material or Service Master Maintenance Contracts and Pricing Vendor Confirmation Create Purchase Requisitions and Purchase Order (PO) Goods Receipt and Reconciliation Return to Vendor NO Payment to Vendor YES Material Qualification ** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. ** MT

PricewaterhouseCoopers People, Process and TechnologyProcessesPeopleTechnology New Vendors are selectedPurchasing Personnel New Vendors are Qualified by QM Personnel Procurement of Raw Materials Receipt of Goods Material Qualification Material Traceability- Assign Lot Numbers Vendor Payments SOP SOP SOP Quality Management Personnel Quality Management Personnel Purchasing Personnel Warehouse Personnel Warehouse or Operations Personnel Purchasing Personnel System records Vendor Qualification details System records Material Qualification details Material lot numbers and tracking recorded in the system Vendor Setup in system Payment generated from system

PricewaterhouseCoopers Procurement & Vendor Qualification Vendor Evaluation & Qualification Controls: Audit Trails for Vendor Qualification are established, including appropriate electronic record and signature requirements to meet 21 CFR Part 11 Vendor Qualification policies and procedures have been established and implemented Vendor Qualifications are restricted to authorized personnel Materials must be procured only from qualified vendors Quality procedures are distributed to approved vendors on a regular basis and are included as part of the negotiations for new external sourcing arrangements Associated Risk/Consideration: Unauthorized vendors may be found in the Master Vendor File Materials may be procured from unqualified vendors Approved vendors may not meet FDA requirements Regulatory exposure Records of vendor qualification reviews and results may be inappropriate or not exist

PricewaterhouseCoopers Address Book Controls Vendor Address Book Maintenance Controls: Restricted access to Vendor Master File Vendor Master File changes are tracked via an associated audit trail Electronic signatures and records are maintained as appropriate for all Vendor Master Changes in accordance 21 CFR Part 11 Associated Risk/Consideration: Unauthorized purchases may result Unauthorized payments to vendors may occur Duplicate Vendor Master records may exist Changes to vendor Master files may not be cGMP compliant as accurate, traceable and approved Regulatory exposure

PwC Example – IT Infrastructure

PricewaterhouseCoopers IT Infrastructure Example Business Process Controls Authorizations and Security Testing, Conversion & project management Operating System Security Change Control Backup, Recovery and Contingency Planning Physical Security Database Management Integrity Enterprise Security Policies & Procedures Internet Firewalls Legacy System Interfaces

PricewaterhouseCoopers Conclusion Don’t stop your Part 11 efforts Re-examine your approach in light of the new guidance Don’t over complicate the process Think process and then technology Incorporate risk management concepts wherever possible Document risk assessment and decision processes

PricewaterhouseCoopers Contact Information Patrick D. Roche, Florham Park, NJ (973)

Pwc