21 cfr part 11 compliance
-
Upload
kiran-kota -
Category
Health & Medicine
-
view
147 -
download
3
Transcript of 21 cfr part 11 compliance
Page 1
21 CFR PART 11 REGULATIONS ON
ELECTRONIC RECORDS &
ELECTRONIC SIGNATURES &
REGULATORY PERSPECTIVE
ON ITS REQUIREMENTS
&
GAMP Requirements
Apr 15, 2023
Page 2
Original intended key objectives of Part 11 Regulations
Retention/documentation of records
Integrity/security of Records
FDA Access to Records
Authentication of Electronic Signatures
Accountability for Maintaining Records / System
Validation
Page 3
Contents
21 CFR Quality Management System Regulations
What is 21CFR11
The important aspects of 21CFR11
21CFR Basics
Equivalent requirements in EU legislation & PICs
Problem Area’s
Examples
FDA Inspector Questions
FDA Checks based on their training & experience
GAMP requirements & catagories
Page 4
QUALITY SYSTEM REGULATION
PART 11 REGS.
- 21 CFR 11.10(a)
Validation of Systems
- 21 CFR 11.10(b)
Controls – Closed Systems
-Generate copies of
records for inspection
-21 CFR 11.10(c)
Protection of Records to enable retrieval
Page 5
QUALITY SYSTEM REGULATION
PART 11 REGS.
- 21 CFR 11.10(a)
Validation of Systems
- 21 CFR 11.10(b)
Controls – Closed Systems
-Generate copies of
records for inspection
-21 CFR 11.10(c)
Protection of Records to enable retrieval
Page 6
QUALITY SYSTEM REGULATION
PART 11 REGS.
-21 CFR 11.10(i)
Education - personnel
-21 CFR 11.10(j)
Accountability
-21 CFR 11.10(k)
Controls – system documentation
Page 7
QUALITY SYSTEM REGULATION
GOOD LAB. PRACTICE REG.
- 21 CFR 58.15 Inspection of records
- 21 CFR 58.29 Personnel – education and training
- 21 CFR 58.33 Study Director – responsibility for
documentation
- 21 CFR 58.35 Quality Assurance Unit
- 21 CFR 58.81 Written standard operating
procedures
- 21 CFR 59.190 Storage and retrieval
of records
- 21 CFR 58.195 Retention of records
Page 8
What is 21CFR11?
21CFR = FDA, Code of Federal Regulations
21CFR58 = GLP
21CFR210 = GMP, Drugs (General)
21CFR211 = GMP, Drugs (Finished Pharmaceuticals)
21CFR312 = Inv. New drug Application (GCP)
21CFR314 = FDA Approval of new drug (GCP)
21CFR6xx = GMP, biologics
21CFR820 = GMP, Devices
21CFR…… = Food, nutrients and cosmetics
21CFR11 = Electronic Records; Electronic
Signatures
Page 9
The important aspects of 21CFR11:
Substantive rule from 20 August 1997
Applies to any e-record in any FDA regulated
work including legacy systems
Criteria for e-records and e-signatures:
- Trustworthy and reliable
E-signatures = hand-written signatures
Minimum requirements / fraud prevention
Page 10
21 CFR Part 11, Basics
Electronic records equivalent with paper records• Storage, retrieval and copying in full retention period• Submitting to FDA
Protection of electronic records• Security (physical and logical)• Validation• Audit trail (who did what, when including reason where
req.)
Permission to use of electronic signature• Equivalent with handwritten signatures• Name, date and meaning• Linking of signature to record• Unique for an individual
Page 11
Equivalent requirements in EU legislation
Annex 11, Computerised Systems
Personnel
Validation
System
• Descriptions and SOP’s
• Change control and configuration management
• Records; entry, storage, retrieval
• Audit trail
• Security and Disaster recovery
• etc.
Page 12
PIC/S Guidance
Good Practices for Computerised Systems in
regulated ”GXP” environment
Computer System Life cycle, incl.
Electronic Records and Signatures
Security, and
Audit trail
Checklists for Inspection
Links ISO and IEEE standards, 21CFR11, APV
guides, PDA Technical Reports together
Page 13
Problem areas
Lack of knowledge in the organisation on
Computer Validation
21 CFR Part 11
Maintenance of computer systems
Purchase of non-compliant systems are ongoing
”Part 11 compliant systems” do not exist
• Administrative controls (= Company policies)
• Procedural controls (= Company SOP’s)
• Technical controls (= Supplier SW controls)
Page 14
Example of 483 given by FDA investigator:
Below 483 is leaded to issuance of Warning Letter by FDA:
A review of the High Performance Liquid Chromatograph
(HPLC) electronic records from July 3, 2013, for (b)(4) batch
#(b)(4) revealed an Out-of-Trend (OOT) result. The sample
preparation raw data was discarded and not reported. A QC
analyst indicated that these results were discarded due to
some small extra peaks identified in the chromatogram
fingerprint and an unexpected high assay result. The QC test
data sheet reported two new results that were obtained from
samples tested on July 4, 2013 and July 5, 2013, using a
different HPLC instrument.
Page 15
FDA 21CFR11 inspection questions
Who is allowed to input data?
Who is allowed to change data?
How can you tell who entered the data?
How do you know which data had been changed?
When do you lock down the data input?
Can you do the following actions?
“Show me some data, show me you can see the history of the
data, show me you control the data life cycle.”
Is the system validated and are the requirements met?
Can you show me the results of the validation activities?
Does the validation include: “Pass/fail, signature, date/time
stamp”; and “objective evidence - screen prints or page
printouts with a link to the direction that generated the output.”?
Page 16
What FDA Inspectors are Trained to Look For…
To effectively prepare for a visit from FDA, you must learn to look at your operations
through the eyes of an FDA investigator. For your computerized systems, some items
FDA investigators are trained to observe include:
– Is data is being collected concurrently with the performance of your operations?
– Are systems designed to record non-conformances?
– Do systems question out-of-specification results but not borderline results?
– Are passwords shared, maintained on “Post-Its”, or found in the middle desk drawer?– Are password restrictions logical (e.g., not re-used, not the same as user IDs, not just one character or space, or easily guessed)?– Are adequate protections in place when employees leave or transfer — or IDs are compromised?– Are systems left on and unattended?– Are electronic signatures being used and, if so, has the firm filed a Part 11.100(c) notification?– Are hybrid systems being used and, if so, how are handwritten signatures linked to electronic records?
Page 17
What FDA Inspectors are Trained to Look For…
To effectively prepare for a visit from FDA, you must learn to look at your operations
through the eyes of an FDA investigator. For your computerized systems, some items
FDA investigators are trained to observe include:
– Are electronic copies of electronic records available?
– Does the firm truly understand “system validation”?
– Can records be altered without leaving a trace?
– Are changes to electronic records obvious and clearly flagged to indicate a change?
– Is the original data readable?
– Have system administrators been trained in network operations and security?
– Are systems open or closed — and what is being done to ensure the security of open
systems?
Page 18
Note:
Note that this enforcement is not based on what system or process the manufacturer says is
being used — but on the investigator’s actual observation and evidence collection of
what system is being used. Citations, usually referencing the predicate rules and not always
mentioning Part 11, are appearing in both FDA-483s as well as Warning Letters.
Page 19
Automating GMP Areas: GAMP
Good Automated Manufacturing Practices (GAMP) provides the Framework for
Automated System Validation
Current version GAMP 5 emphasizes Risk Based Approach to Software Validation
with Life Cycle ModelGAMP Categories
Category Software Type CSV Criticality
1 Operating System Low
2 Firmware Removed in GAMP 5
3 Standard Software Packages Medium - High
4 Configurable Software Packages Medium - High
5 Custom or Bespoke Systems High
Page 20
Automating GMP Areas:
Personnel Qualifications (211.25)Consultants (211.34)Equipment Cleaning and Maint. (211.67)Automated Equipment (211.68)*Written Procedures (211.100)Materials Examination and Usage (211.122)Packaging and Labeling Oper. (211.130)Drug Product Inspection (211.134)Distribution Procedures (211.150)Reserve Samples (211.170)Records and Reports (211.180)
Equipment Cleaning and Use (211.182)Component, Container, Closure and Labeling Records (211.184)Master Production Records (211.186)Batch Production Records (211.188)Production Record Review (211.192)Laboratory Records (211.194)Distribution Records (211.196)Complaint Files (211.198)Returned Drug Products (211.204)Drug Product Salvaging (211.208)
Page 21
Automating GMP Areas:
Process Control Systems
• PLC / DCS / SCADA / BMS
• Laboratory Computerized Systems
• Application Software Like HPLC /GC /FTIR etc
Global Information Systems
• ERP Systems Like SAP / BaaN
• Document Management Systems
Page 22
Process Control Systems:
Access Control & Password Management
Program Back Up for PLC / HMI / SCADA
Set Parameter Ranges To Be Restricted / Defined
Alarm Management
System Clock Synchronization
System Design Documents V/s Configuration Check
Printers & Reports
Electronic Records & Signatures – Wherever Applicable
Life Cycle Management
Page 23
Laboratory Computerised Systems:
Access Control & Password Management
Adequate User Ids
Data Back Up & Restore
Data Security
Laboratory Network & Server Qualification
System Clock Synchronization
Printers & Records
Electronic Signatures & Records
Life Cycle Management
Page 24
Global Information Systems like ERP, SAP & DMS & Agile etc., :
cGMP vs. System Configuration
Interfacing of Quality Management System (BMRs) vs. ERP Records
Access Control & Password Management
Adequate User Ids
Data Back Up & Restore
Data Security
Network & Server Qualification
Paper Records vs. Electronic Records
Electronic Signatures
Life Cycle Management
Page 25
Maintaining Control in Operation (Post Validation) Program should ensure the following –
All up-dates / new development / implementation are in line with the Change Control
Procedures
Risk Assessment is carried out for all up-dates / new development / implementation
Validation documents (SOPs / Protocols / Specifications) are reviewed and updated
periodically
Audit the Validation Status of various systems
Monitor the Performance of Systems Periodically
Maintaining Control in operation:
Page 26
Formulate Computer System Validation Policy – Top Line Statement
Form the Core Team
Formulate Validation Master Plan
Define IT policies & Procedures
For New Systems Follow GAMP V Model – URS to PQ
For Existing Systems
• Take the inventory of Systems
• Carry Out Impact Analysis
• Carry Out Risk Assessment for each System
• Close the Gaps
• Update the URS and follow GAMP v Model
Maintain Control in Operation
Approach towards Compliance: