the fda's new enforcement of 21 cfr part 11 compliance (an … · computer system validation...
TRANSCRIPT
The FDA's New Enforcement of
21 CFR Part 11 Compliance
(An Overview)
June 2012
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
Contents
About Validation ................................................................................ 3
Abbreviations .................................................................................... 4
FDA Regulation Along the Drug Life ................................................. 5
Other Challenges .............................................................................. 6
Modules/Steps Involved in the Validation Process ........................... 7
Module 1: Regulatory Requirements ................................................ 8
Module 2: Steps for Cost Effective Computer System Validation ... 11
Module 3: Initial and Ongoing Tests of Software and Computer Systems........................................................................................... 14
Module 4: Minimum Validation Documentation Validation .............. 15
Module 5: Qualification of Network Infrastructure and Validation of Network System .............................................................................. 16
Module 6: Understanding FDA Part 11 and the EU GMP Annex 11 ..... 17
Case Study ...................................................................................... 19
Conclusion....................................................................................... 20
Reference ........................................................................................ 21
Author Info ....................................................................................... 21
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
3
About Validation
Validation:
Validation is defined as the act of testing for compliance with a
standard.
Need for validation in computer systems:
Required by regulations – US FDA, EMA, GMP, GCP, GLP
Ensures consistent data and product quality
Helps to protect intellectual property through scientifically
sound data
In 1997, the United States Food and Drug Administration (FDA)
issued a regulation that provides criteria for acceptance by the FDA
of electronic records, electronic signatures and handwritten
signatures. This was done in response to requests from the
industry. With this regulation, titled Rule 21 CFR Part 11 (henceforth
referred to as Part 11), electronic records can be equivalent to
paper records and handwritten signatures.
Title 21 is the portion of the Code of Federal Regulations that
governs food and drugs within the United States for the Food and
Drug Administration (FDA), the Drug Enforcement Administration
(DEA), and the Office of National Drug Control Policy (ONDCP).
Compliance is not as easy as it seems.
The premise may seem straightforward, but implementing these
regulations, adhering to them, and being able to document that the
organization is compliant is quite complex. This paper provides you
with information on HCL guidelines for Part 11.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
4
Abbreviations
Sl.
No. Acronyms Full Form
1. CFR Code of Federal Regulations
2. EU European Union
3. GMP Good Manufacturing Practices
4. AGMP (Automated Good Manufacturing Practices)
5. GLP Good Laboratory Practices
6. GCP Good Clinical Practices
7. GxP GLP+GCP+GMP = Predicate Rules
8. EMA European Medicines Agency
9. URS User Requirement Specification
10. PIC/S Pharmaceutical Inspection Convention/Cooperation Scheme
11. OQ Operational Qualification
12. DQ Design Qualification
13. PQ Performance Qualification
14. IQ Installation Qualification
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
5
FDA Regulation Along the Drug Life
Part 11 applies to all records that are defined in the underlying acts
and regulations which govern activities in the life sciences
industries. These underlying acts and regulations, which are
referred to as the “predicate rules,” are any requirements set forth in
the FDCA Act (Federal Food, Drug and Cosmetic Act), the PHS Act
(Public Health Service Act), or any FDA regulation (GLP, GMP, and
GCP). The predicate rules mandate what records are to be
maintained, the content of those records, whether signatures are
required, how long records must be maintained, and so on.
Part 11 requires drug makers, medical device manufacturers,
biotech companies, biologics developers, and other FDA-regulated
industries to implement controls, including audits, system
validations, audit trails, electronic signatures, and documentation for
software and systems involved in processing electronic data that are
either required to be maintained by the FDA predicate rules or used
to demonstrate compliance to a predicate rule. Part 11 applies to all
existing and all newly-installed systems.
Application areas of 21 CFR Part 11
Part 11 applies to all existing and newly installed systems
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
6
Challenges
A wave of change is sweeping through the life sciences industry.
Electronic records and electronic signatures are replacing paper
records and hand-written signatures. The challenge is to comply
with the regulations while implementing the most efficient and
effective systems possible. Although companies initially may resist
moving toward compliance, the return on investment for accepting
the change is high. Likewise, the penalty for non-compliance can be
severe.
The regulation has been largely open to interpretation, resulting in
many different compliance approaches. While the FDA is dictating
what needs to be done, how it is to be done is left to individual
companies.
There are several problems or challenges associated with Part 11 in
life science firms:
Part 11 is a regulation to promote public safety through an
organization‟s ability to control data integrity with respect to
authorized and unauthorized modifications to records. Data
integrity and information security are the key objectives of
Part 11.
To begin the move to compliance, a Part 11 gap assessment
should be performed on all systems subject to records
requirements set forth in the FDA regulations.
Failure to comply can lead to denial of a New Drug
Application (NDA), potential delay in manufacturing, “483”
warning letters, civil penalties, and even prosecution for
negligence. These penalties, and the resulting delay in
releasing new drugs, can cost life science firms millions of
dollars.
Steps for attaining initial compliance to Part 11 have been
documented, which can help the organization achieve FDA
compliance.
Challenges to adhere to Part 11
Data integrity and
information security
Gap assessment
Revenue loss
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
7
Modules/Steps Involved in the Validation Process
There are six steps involved in the validation process, which are listed below.
Regulatory requirements
Steps for cost-effective computer system validation
Initial and ongoing tests of software and computer systems
Minimum validation documentation inspectors want to see
Qualification of network infrastructure and validation of
network systems
Understanding the spirit and basics of the FDA Part 11 and
the EU GMP Annex 11
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
8
Module 1: Regulatory Requirements
Regulatory requirements require persons to “employ procedures
and controls, designed to ensure the authenticity, integrity, and
confidentiality of electronic records, and to ensure that the signer
cannot readily repudiate the signed record as not genuine.” Various
steps have been derived to satisfy these requirements.
Computer system validation
Regulation and quality standards
Validation master plan
Validation approach – lifecycle models
Computer System Validation
Computer systems used to create, modify, and maintain electronic
records and to manage electronic signatures are also subject to the
validation requirements. Systems that maintain certain employee
training records may even be subject to validation. Such computer
systems must be validated to ensure accuracy, reliability, consistent
intended performance, and the ability to discern invalid or altered
records.
Validation is a systematic documentation of system requirements,
combined with documented testing, demonstrating that the
computer system meets the documented requirements. It is the first
requirement identified in Part 11 for compliance. Validation requires
that the system owner maintain the collection of validation
documents, including requirement specifications and testing
protocols.
Regulation and Quality Standards
The requirements in this part govern the methods, facilities and
controls used for the design, manufacture, packaging, labeling,
storage, installation, and servicing of all finished devices intended
for human use, so they should satisfy:
Steps to achieve regulatory requirements
Computer system
validation
Regulation and quality
standards
Validation of master plan
Validation approach -
lifecycle models
Risk-based validation for records generated
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
9
GLP (Good Laboratory Practices)
GCP (Good Clinical Practices)
GMP (Good Manufacturing Practices)
AGMP (Automated Good Manufacturing Practices)
FDA‟s 21 CFR Part 11/EU Annex 11 (electronic records and
signatures)
(Automated) equipment should be suitable for its intended use
Equipment should be routinely checked
Validation Master Plan
A Validation Master Plan (VMP) is an integral part of a well
organized validation project. It documents the company's approach
to complex validation projects. The VMP has a broad scope. It
clarifies responsibilities, general objectives, procedures to be
followed for validation, and it prioritizes multiple validation tasks. It
may reference several protocols and procedures to be written in
order to conduct the qualification of several different pieces of
equipment and different processes. It may also specify schedules
for validation and the allocation of resources needed to perform the
validation. VMP provides a means of communication to everyone
associated with the project. It lets management know how the
company‟s resources are being allocated and when they will see the
results. It tells the validation team what they have to do, when they
have to do it, and gives them a means of tracking progress. Other
groups can find out what the validation team is doing and what their
roles are in support of the validation project. The FDA can look at
the VMP and see the validation project is well thought out and
organized; there is a logical reason for including or excluding every
system from the validation project based on a risk analysis.
Validation Approach – Lifecycle Models
Validation is not a one-time event. Validation starts when you plan
and design a product (hardware, software) or a method. Validation
is finished when the product is retired and all data is successfully
moved to a new system. Validation follows one of the lifecycle
models.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
10
Risk-Based Validation
Specific requirements for computers and electronic records and
signatures are also defined in the FDA‟s regulations Part 11 on
electronic records and signatures. This regulation applies to all
FDA-regulated areas, and has specific requirements to ensure the
trustworthiness, integrity and reliability of records generated,
evaluated, transmitted and archived by computer systems. In 2003,
the FDA published guidance on scope and applications of Part 11.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
11
In this document, the FDA promoted the concept of risk-based
validation.
Defined Actions for Risk Categories:
Module 2: Steps for Cost Effective Computer System Validation
Form a Project Team which should include representatives from
these key areas:
IT
QA
User groups
Validation groups, if applicable
Regulatory affairs
Documentation
Purchasing
They should meet regularly to make critical decisions and
communicate to a wider user base.
Risk
Level Business Continuity Compliance/Health
High
Failure has a
significant impact on
delivery of products for
several days
Failure of the system may
cause harm to patients and
there is no correction
possible
Medium
Failure has potential
to impact the delivery
of products for 1 or 2
days
Failure of the system may
cause harm to patients and
there is a good potential to
correct the failure
Low
Failure has negligible
impact on product
delivery
Failure of the system will not
cause harm to patients
Steps to achieve cost effective computer system validation
Form a project team
Document the user
requirements
Develop a validation
project plan
Conduct risk
assessment
Assess supplier
Installation
qualification
Operational and
performance
qualification
Validation report
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
12
Document the User Requirements which should be based on
requirement specification, risk assessment and GMP impact. User
requirements should be traceable throughout the lifecycle. The
document should cover the below-mentioned points to address this
requirement.
Contents
Justification for system
Intended application, e.g. electronic documents management
Intended environment (computer and network, operating
environment, e.g. laboratory, manufacturing and office)
Process overview
Detailed user requirements
Signature and approval
When to write URS?
Who writes it, who approves it?
Develop a Validation Project Plan which should define the
activities, procedures and responsibilities for establishing the
adequacy of the system. It should be derived from the company‟s
validation master plan. There should be a specific strategy,
approach, risk assessment, resources, responsibilities, activities
and deliverables of the validation effort. It can be written in a table
template or a flow text form, as shown below.
Table
Purpose of the plan
Product description
Validation strategy
Responsibilities (position)
Supplier assessment
Risk assessment
Testing strategies and reporting
DQ
IQ
OQ
PQ
Traceability matrix
Procedures
Approval
Documents and control
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
13
Conduct Risk Assessment
Risk assessment should be applied throughout the lifecycle of the
computerized system. As part of a risk management system,
decisions on the extent of validation and data integrity should be
based on a justified and documented risk assessment. The purpose
is to optimize resources toward high-risk systems. Various inputs for
risk assessment such as user experience with the same equipment
already installed, user experience with similar equipment already
installed, IT staff experience with the same or similar equipment,
experience with the equipment vendor, information from the vendor
on what can go wrong (during testing and ongoing use), etc.
Assess Supplier
The regulated user should take all responsible steps to ensure the
system has been developed in accordance with an appropriate
quality management system. The purpose is to determine the
adequacy of the supplier quality system.
Installation Qualification
Collect the supplier‟s environmental conditions, operating and
working instructions and maintenance requirements compare
systems, as received, with the purchase order. System installation is
according to vendor specifications such as servers, clients, licenses,
and installation protocol.
Install interfaces, e.g. an e-mail system with impact analysis. Design
an overview with system drawings, e.g. data flow, and testing for
successful installation. Check documentation for accuracy and
completeness. Document all components with asset and serial
numbers.
Operational and Performance Qualification
Ensure the system works in your environment and identify critical
functions for the computer systems as defined in the functional and
user environment specifications. Develop these as test cases for the
functions and define acceptance criteria, or take advantage of the
vendor‟s OQ package. Perform the test and evaluate results,
compare with the acceptance criteria, and finally document the
results. Ensure smooth application-specific operation and suitable
performance of the complete system through the ongoing operation.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
14
Validation report
It should include a brief description of each project activity used to
review all preceding validation activities and indicate the status of
the system prior to implementation into the production environment.
Deviations from the project plan should be documented and a risk
assessment should be performed.
Module 3: Initial and Ongoing Tests of Software and Computer Systems
A test should be developed, formally documented and used to
demonstrate that the system has been installed and is operating
and performing satisfactorily, and ensures that system requirements
are met. Keep the test evidence on justified and documented risk
assessment: keep hard copy screen prints for high impact functions.
Consider testing of native functions carefully. The extent of testing
should be based on risk, complexity and novelty.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
15
Module 4: Minimum Document Validation
Documentation which inspectors want to see is listed below.
Documentation
Required SOPs (examples)
Supplier and service providers agreement
Suppliers and service providers assessment information
Supplier agreement
Data back-up
Back-up storage locations, validation, back-up frequency and
documentation
Periodic evaluation and review of computer systems
Internal audits of computer system
Business continuity plan
Disaster recovery plan preparation
System retirement
Maintenance support
Framework (corporate, site, department)
For individual projects processes
For individual products
Test records
List of documents for validation
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
16
Module 5: Qualification of Network Infrastructure and Validation of Network System
Why Care About Network Infrastructure?
A well-qualified network infrastructure increases system uptime and
reduces maintenance costs. Ensure that the network is qualified at
least once, and not for each application. Network infrastructure is
subject to FDA/EU inspection.
Regulation/Guidelines for Qualification/Validation of Network
Infrastructure
The Gxps-system should be suitable for the intended use
21 CFR Part 11 – E-signatures/Records - Defines
requirements for electronic records; electronic signatures in
FDA regulated industries
PIC/s Good Practice Guide - Has lots of good
recommendations on using computers in regulated
environments
Necessity for network infrastructure
Regulations for validation of network infrastructure
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
17
Module 6: Understanding FDA Part 11 and the EU GMP Annex 11
FDA Part 11 and the EU GMP Annex 11 insist on the below-
mentioned points:
Control of Closed System (11.10)
Validation
Accurate and complete copies
Protection and retrieval of records
Limited access to systems and data
Electronic audit trail
Authority checks
Device checks
Operational system checks
People qualification
Individual accountability
Controls over system documentation
Digital Signatures (11.30)
Use of digital signatures for open systems
Electronic Signatures (11.50, 11.70, 11.100, 11.13)
Requirements for signed electronic records
Linking records to signatures
Requirements for electronic signatures
Electronic signature components
FDA 21 CFR Part 11 & EU GMP Annex 11: General Requirements for Electronic Signatures
E-signature must be unique. Ex: user ID and password,
biometric devices
Identity of individuals must be verified
Identification code must be periodically checked, recalled and
revised
Pass card must be periodically tested
Attempts at unauthorized access must be reported
FDA Part 11 and the EU GMP Annex 11 compliance requirement
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
18
The use of an e-signature must be certified with the FDA
Annex 11 requires 1 and 2 along with the additional
requirements below:
Risk management
Supplier and service provider management
Data entry and processing
Data accuracy checks
Change management
Periodic evaluation
Incident management
Batch release
Business continuity
Regulation (Annex 11)
For electronic records, regulated users should define which data are
to be used as raw data. At least, all data on which quality decisions
are based should be defined as raw data (EU Annex 11).
Recommendation
For hybrid systems, clearly define if electronic data or printouts are
raw data. If printouts are defined as raw data, they should include all
required records.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
19
Case Study
The use of electronic records is expected to be more cost-effective
for the industry and the FDA. The approval process is expected to
be shorter and access to documentation will be faster and more
productive. HCL has provided 21CFR Part 11 compliant
assessment for many clients on various requirements. One of the
case studies is mentioned below for reference.
Client Requirement
To create a validation plan for a universal testing machine with 21
CFR Part 11 compliance assessments.
HCL Solution
HCL created the validation plan and a tracking system to monitor
the 21CFR Part 11 compliance requirement.
The validation plan defines:
Validation strategy for providing the documented evidence
necessary to demonstrate that the universal testing machine
functions according to requirements
Roles and responsibilities to implement and to be maintained
in validated state
Validation deliverables required to qualify the client process
and FDA requirement
Deliverables
Required deliverables for the universal testing machine (UTM)
validation plan are as follows:
Validation plan
Quality and regulatory assessment
21 CFR Part 11 coverage assessment
User requirements specification
Risk level and other risk documentation, e.g. PFMEA, if any.
DFMEA and PFMEA documents were not required as the risk
was medium, based on the risk assessment document.
Test cases for installation and user requirements
Requirement traceability matrix
Standard operating procedure
21 CFR Part 11 compliance assessment
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
20
Conclusion
The ultimate goal of computer system validation is to produce
documentation that actually raises the quality instead of just
producing more paper.
Over the years, HCL has developed a step-by-step approach to
computer system validation - 21 CFR Part 11 compliance. This step-
by-step procedure adheres to the FDA rules to meet Part 11
requirements and to ensure the electronic records and electronic
signatures are trustworthy, reliable and compatible with the FDA‟s
public health responsibilities.
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
21
References
Code of Federal Regulations, Title 21, Food and Drugs, Part 11
Electronic Records; Electronic Signatures
L. Huber, “Validation of Computerized Analytical and Networked
Systems”
FDA Guidance for Industry Part 11, Electronic Records;
Electronic Signatures Scope and Applications
L. Huber, “Risk-Based Validation of Commercial Off-the-Shelf
Computer Systems”
Author Info
Kannan Palaniappan – Kannan has over 10 years of experience in new product design and development on electro-mechanical products, including three and a half years of medical product design. He has worked in cryoablation system design and development, and orthopedics instrument and sterilization unit system development.
Prasanna Kumar Thirunavukkarasu – Prasanna has over eight years of experience in new product design and development on electro-mechanical products that includes over a year in medical product design. He has worked in design and development of “energy-based devices” and orthopedic implants and instruments.
Hello, I’m from HCL’s Engineering and R&D Services. We enable technology led organizations to go to market with innovative products and solutions. We partner with our customers in building world class products and creating associated solution delivery ecosystems to help bring market leadership. We develop engineering products, solutions and platforms across Aerospace and Defense, Automotive, Consumer Electronics, Software, Online, Industrial Manufacturing, Medical Devices, Networking & Telecom, Office Automation, Semiconductor and Servers & Storage for our customers.
For more details contact [email protected]
Follow us on twitter: http://twitter.com/hclers
Visit our blog: http://ers.hclblogs.com/
Visit our website: http://www.hcltech.com/engineering-services/
About HCL
About HCL Technologies HCL Technologies is a leading global IT services company, working with clients in the areas that impact and redefine the core of their businesses. Since its inception into the global landscape after its IPO in 1999, HCL focuses on „transformational outsourcing‟, underlined by innovation and value creation, and offers integrated portfolio of services including software-led IT solutions, remote infrastructure management, engineering and R&D services and BPO. HCL leverages its extensive global offshore infrastructure and network of offices in 26 countries to provide holistic, multi-service delivery in key industry verticals including Financial Services, Manufacturing, Consumer Services, Public Services and Healthcare. HCL takes pride in its philosophy of 'Employees First, Customers Second' which empowers our 83,076 transformers to create a real value for the customers. HCL Technologies, along with its subsidiaries, has reported consolidated revenues of US$ 4 billion (Rs. 19,412 crores), as on TTM ended Mar 31 '12. For more information, please visit www.hcltech.com
About HCL Enterprise HCL is a $6.2 billion leading global technology and IT enterprise comprising two companies listed in India - HCL Technologies and HCL Infosystems. Founded in 1976, HCL is one of India's original IT garage start-ups. A pioneer of modern computing, HCL is a global transformational enterprise today. Its range of offerings includes product engineering, custom & package applications, BPO, IT infrastructure services, IT hardware, systems integration, and distribution of information and communications technology (ICT) products across a wide range of focused industry verticals. The HCL team consists of over 90,000 professionals of diverse nationalities, who operate from 31 countries including over 500 points of presence in India. HCL has partnerships with several leading global 1000 firms, including leading IT and technology firms.
For more information, please visit www.hcl.com