21 CFR Part 11 Compliance Training Module PDF

Document Details

SteadyGiant8912

Uploaded by SteadyGiant8912

Tags

FDA regulations Electronic records Computerized systems Compliance

Summary

This document provides a training module on 21 CFR Part 11 compliance, focusing on the guidelines and procedures for the use of computerized systems in regulated activities, such as in the pharmaceutical industry. It covers topics such as the relationship between FDA's Part 11 and the European Union's Annex 11 and how the different approaches to compliance relate to risk assessment and validation.

Full Transcript

TRANNING MODULE Module Name : 21 CFR part 11 Compliance Module No. : QS-024 Version No.: 02 Effective Date : ___________________ ______________________ ______________________ ______________________ Prepared By...

TRANNING MODULE Module Name : 21 CFR part 11 Compliance Module No. : QS-024 Version No.: 02 Effective Date : ___________________ ______________________ ______________________ ______________________ Prepared By Checked By Approved By (Concerned Dept.) (Head of Concerned Dept.) (Quality Head) Date: _________________ Date: _________________ Date: _________________ 1  AGENDA  Introduction  Background  21 CFR Part 11  Comparison of Annex 11 And Part 11  Section in 21 CFR Part 11  Terminology  Overall Approach to Part 11 Requirements  Details Of Approach – Scope Of Part 11  Approach to Specific Part 11 Requirements  Cross-Reference from Annex 11 to Part 11  Conclusions 2  INTRODUCTION  The relationship between FDA’s Part 11 (21 CFR Part 11) and the European Union’s Annex 11 (EUDRALEX Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use) diverges in philosophy. Both documents cover the same topic, the use of computerized systems in regulated activities. However, the approach of Part 11 is to make clear there are requirements to be met in order to conform to regulations. The emphasis is on activities and reporting.  In contrast, the approach of Annex 11 is to make clear how to conform to its rules. Annex 11 is a detailed guide to the areas of compliance that need documentation. A significant difference is the approach to risk management. Annex 11 points to risk assessment as the start of compliance activities. Part 11 differentiates security for open and closed systems, with extra security measures for open systems but without reference to risk or criticality. 3  BACKGROUND  In March of 1997, FDA issued final part 11 regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, were intended to permit the widest possible use of electronic technology, compatible with FDA‘s responsibility to protect the public health.  After part 11 became effective in August 1997, significant discussions ensued among industry, contractors, and the Agency concerning the interpretation and implementation of the regulations. FDA has (1) spoken about part 11 at many conferences and met numerous times with an industry coalition and other interested parties in an effort to hear more about potential part 11 issues; (2) published a compliance policy guide, CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures; and (3) published numerous draft guidance documents including the following:  21 CFR Part 11; Electronic Records; Electronic Signatures, Validation 4  BACKGROUND  21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms  21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps  21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records  21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records  Throughout all of these communications, concerns have been raised that some interpretations of the part 11 requirements would (1) unnecessarily restrict the use of electronic technology in a manner that is inconsistent with FDA's stated intent in issuing the rule, (2) significantly increase the costs of compliance to an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit. These concerns have been raised particularly in the areas of part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems. 5  What is called “21 CFR 11,” or “FDA 21 CFR Part 11”  FDA is the acronym for the food and Drug Administration.  FDA was established to serve and protect the interests of public health.  CFR stands for Code of Federal Regulations and refers to a document listing United States Federal Regulations.  The number "21" actually is short for "Title 21, Chapter I,“ and the number "11," for "Part 11".  Title 21 concerns the area of Food and Drugs, Chapter I is the section related to FDA, and Part 11 is the sub-section of this chapter, which focuses on a specific area (i.e., Electronic Records; Electronic Signatures).  “Code of Federal Regulations: Food and Drug Administration Title 21, Chapter I, Part 11 - Electronic Records; Electronic Signatures”. 6  COMPARISON OF ANNEX 11 AND PART 11 ANNEX 11 PART 11 Computerized systems as part of GMP Electronic records and electronic regulated activities. Scope/Principle signatures as used for all FDA Application should be validated. regulated activities. IT infrastructure should be qualified. Risk- based quality management of Using electronic records and signatures Focus computerized systems. in open and closed computer systems. Using a computerized system should Electronic records and signatures should ensure the same product quality and Objective be as trustworthy and reliable as paper quality assurance as manual systems records and handwritten signatures. with no increase in the overall risk. 7  SECTION IN 21 CFR PART 11 ELECTRONIC RECORDS ELECTRONIC SIGNATURE Secure process values and audit trails (alarms, All user actions can be configured to require events, operator actions, log-in/log-out, operator signing or require signing and authorization notes, electronic signatures) Protection of data through binary, compressed and User specific access according to authority level check-summed records Signature element controls unique user signature, Accurate time stamps are ensured using automatic password expiry, minimum password length, Time Synchronization to a Known clock source automatic log-off, automatic disabling and notification of failed login attempts. Provision for electronically copying data for Ensuring unique users by retiring and not deleting archive accounts. Export facility providing viewing of Secure records in human Readable form. 8  TERMINOLOGY  Electronic Records: Electronic records are "any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system".  Closed system: A closed system is defined as an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.  Open system: An open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system  Electronic Signature: An electronic signature is "a computer data compilation of any symbol or series, of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature".  Biometric: "A method of verifying an individual's identity based on measurement of the individual 's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.” 9  TERMINOLOGY  Handwritten Signature: The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.  Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.  Hybrid systems: Hybrid systems are a combination of electronic records and paper records. They are common systems in analytical laboratories today. Raw data are recorded electronically to reconstruct the analysis but the final results are printed and signed on paper. The FDA does not prohibit hybrid systems but has expressed some concerns about their acceptability 10  Overall Approach to Part 11 Requirements  Described in more detail below, the approach outlined in this guidance is based on three main elements:  Part 11 will be interpreted narrowly; we are now clarifying that fewer records will be considered subject to part 11.  For those records that remain subject to part 11, we intend to exercise enforcement discretion with regard to part 11 requirements for validation, audit trails, record retention, and record copying in the manner described in this guidance and with regard to all part 11 requirements for systems that were operational before the effective date of part 11 (also known as legacy systems).  We will enforce all predicate rule requirements, including predicate rule record and record keeping requirements. 11  Overall Approach to Part 11 Requirements  It is important to note that FDA's exercise of enforcement discretion as described in this guidance is limited to specified part 11 requirements (setting aside legacy systems, as to which the extent of enforcement discretion, under certain circumstances, will be more broad). We intend to enforce all other provisions of part 11 including, but not limited to, certain controls for closed systems in § 11.10. For example, we intend to enforce provisions related to the following controls and requirements:  limiting system access to authorized individuals.  use of operational system checks  use of authority checks  use of device checks  Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks. 12  Overall Approach to Part 11 Requirements  Establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures  Appropriate controls over systems documentation  Controls for open systems corresponding to controls for closed systems bulleted above (§ 11.30).  Requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300). 13  Details of Approach – Scope of Part 11 1. Narrow Interpretation of Scope We Understand that there is some confusion about the scope of part 11. Some have understood the scope of part 11 to be very broad. We believe that some of those broad interpretations could lead to unnecessary controls and costs and could discourage innovation and technological advances without providing added benefit to the public health. As a result, we want to clarify that the Agency intends to interpret the scope of part 11 narrowly. Under the narrow interpretation of the scope of part 11, with respect to records required to be maintained under predicate rules or submitted to FDA, when persons choose to use records in electronic format in place of paper format, part 11 would apply. 14  Details of Approach – Scope of Part 11 On the other hand, when persons use computers to generate paper printouts of electronic records, and those paper records meet all the requirements of the applicable predicate rules and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be "using electronic records in lieu of paper records" under §§ 11.2(a) and 11.2(b). In these instances, the use of computer systems in the generation of paper records would not trigger part 11. 2. Definition of Part 11 Records  Under this narrow interpretation, FDA considers part 11 to be applicable to the following records or signatures in electronic format (part 11 records or signatures): Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format. On the other hand, records (and any associated signatures) that are not required to be retained under predicate rules, but that are nonetheless maintained in electronic format, are not part 11 records. 15  Details of Approach – Scope of Part 11 We recommend that you determine, based on the predicate rules, whether specific records are part 11 records. We recommend that you document such decisions. Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities. In some cases, actual business practices may dictate whether you are using electronic records instead of paper records under § 11.2(a). For example, if a record is required to be maintained under a predicate rule and you use a computer to generate a paper printout of the electronic records, but you nonetheless rely on the electronic record to perform regulated activities, the Agency may consider you to be using the electronic record instead of the paper record. That is, the Agency may take your business practices into account in determining whether part 11 applies. Accordingly, we recommend that, for each record required to be maintained under predicate rules, you determine in advance whether you plan to rely on the electronic record or paper record to perform regulated activities. 16  Details of Approach – Scope of Part 11 Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format (assuming the records have been identified in docket number 92S- 0251 as the types of submissions the Agency accepts in electronic format). However, a record that is not itself submitted, but is used in generating a submission, is not a part 11 record unless it is otherwise required to be maintained under a predicate rule and it is maintained in electronic format. Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules. Part 11 signatures include electronic signatures that are used, for example, to document the fact that certain events or actions occurred in accordance with the predicate rule (e.g. approved, reviewed, and verified). 17  Approach to Specific Part 11 Requirements 1. Validation The Agency intends to exercise enforcement discretion regarding specific part 11 requirements or validation of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30). Although persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this guidance should not be read to impose any additional requirements for validation. We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. You should also consider the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures. Even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system. 18  Approach to Specific Part 11 Requirements We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. For instance, validation would not be important for a word processor used only to generate SOPs. For further guidance on validation of computerized systems, see FDA’s guidance for industry and FDA staff General Principles of Software Validation and also industry guidance such as the GAMP 4 Guide (See References). 2. Audit Trail The Agency intends to exercise enforcement discretion regarding specific part 11 requirements related to computer- generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries. 19  Approach to Specific Part 11 Requirements Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the records.6 We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation. 3. Legacy Systems The Agency intends to exercise enforcement discretion with respect to all part 11 requirements for systems that otherwise were operational prior to August 20, 1997, the effective date of part 11, under the circumstances specified below: 20  Approach to Specific Part 11 Requirements The system was operational before the effective date. The system met all applicable predicate rule requirements before the effective date. The system currently meets all applicable predicate rule requirements. You have documented evidence and justification that the system is fit for its intended use (including having an acceptable level of record security and integrity, if applicable). If a system has been changed since August 20, 1997, and if the changes would prevent the system from meeting predicate rule requirements, Part 11 controls should be applied to Part 11 records and signatures pursuant to the enforcement policy expressed in this guidance. 4. Copies of Records The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements for generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30). You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules (e.g., §§ 211.180(c), (d), and 108.35(c)(3)(ii)). 21  Approach to Specific Part 11 Requirements We recommend that you supply copies of electronic records by: Producing copies of records held in common portable formats when records are maintained in these formats. Using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML, or SGML). In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record. If you have the ability to search, sort, or trend part 11 records, copies given to the Agency should provide the same capability if it is reasonable and technically feasible. You should allow inspection, review, and copying of records in a human readable form at your site using your hardware and following your established procedures and techniques for accessing records. 22  Approach to Specific Part 11 Requirements 5. Record Retention The Agency intends to exercise enforcement discretion with regard to the part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period (§ 11.10 (c) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements for record retention and availability (e.g., §§ 211.180(c),(d), 108.25(g), and 108.35(h)) We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time. 23  Approach to Specific Part 11 Requirements FDA does not intend to object if you decide to archive required records in electronic format to non electronic media such as microfilm, microfiche, and paper, or to a standard electronic file format (examples of such formats include, but are not limited to, PDF, XML, or SGML). Persons must still comply with all predicate rule requirements, and the records themselves and any copies of the required records should preserve their content and meaning. As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records. In addition, paper and electronic record and signature components can co- exist (i.e., a hybrid8 situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved. 24  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.2(b)- Implementation Principle 11.10(a)- Validation General 1 Risk Management Not covered 2 Personnel 11.10(i)- Personnel 3 Suppliers and Service Providers Not covered 3.1 Formal agreements Not covered 3.2 Audit supplier Not covered 3.3 Review documentation for COTS Not covered 3.4 Supplier audit available on request Not covered Project Phase 4 Validation 11.10(a)- Validation 4.1 Cover life cycle Not covered 4.2 Change control and deviations 11.10(k)- Documentation control 25  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 4.3 Systems inventory Not covered 4.4 User requirement specifications Not covered 4.5 Quality management system Not covered 4.6 Process for customized systems Not covered 4.7 Evidence of appropriate test methods Not covered 4.8 Data transfer validation 11.10(h)- Device checks Operational Phase 11.10(f)- Operational system checks 5 Data 11.30- Controls for open systems 6 Accuracy Checks 11.10(f)- Operational system checks 7 Data Storage 11.10(c)- Protection of records 11.10(d)Limiting system access 7.1 Secured and accessible 11.10(e)-Secure Records 11.10(g)-Authority checks 26  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 7.2 Back-up Not covered 8 Printouts 11.10(b)- Generate accurate and 8.1 Clear printed copies complete copies 8.2 Batch release/changed since original Not covered 11.10(e)- Electronic audit trail, 9 Audit Trails 11.10(k)(2)- Documentation control Change and Configuration 11.10(d)- Limiting system access 10 Management 11.10(e)- Electronic audit trail 11.300(b) and (e)- periodically checked 11 Periodic evaluation 11.10(k)- Documentation control 12 Security 11.10(c)- Protection of records 27  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.10(d)- Limiting system access 11.10(g)- Authority checks 12.1 Physical/Logical 11.200(a) and (b)biometrics 11.300(a) Unique 11.300(d)- prevent unauthorized use 12.2 Criticality Not covered 11.300(b)and (c)-Controls for 12.3 Security-record events Identification Codes/Passwords 12.4 Data management/operators entries 11.10(e)-Controls for Closed Systems 13 Incident Management Not covered 14 Electronic Signature 11.50-Signature manifestations 28  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.1(a) Scope, 11.3(b)(7) Definitions 14(a) Same as hand-written 11.100(c) Certify equivalent to handwritten 14(b) Permanent link 11.70- Signature/record linking 14(c) Time and date 11.10(e)- Electronic audit trail 15 Batch release Not covered 16 Business Continuity Not covered 11.10(c)- Protection of records for 17 Archiving accurate retrieval Subpart B--Electronic Records 11.10 Controls for closed systems 29  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.10(a) Validation 4-Validation 11.10(b) Generate accurate and complete copies 8.1-Printouts 11.10(c) Protection of records for accurate retrieval 17-Archiving, 12-Security, 7-Data Storage 7.1- secured and accessible Limiting system access to authorized 10- Change and Configuration 11.10(d) individuals Management, 12.1-Security, physical/logical 7.1- secured and accessible, 9-Audit Trails 10-Change and Configuration Management 11.10(e) Record of operator entries (audit trail) 12.4- data management/operators entries 14(c)-Electronic Signature 11.10(f) Operational system checks 5-Data, 6- Accuracy Checks 30  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 7.1- secured and accessible 11.10(g) Authority checks 12.1-Security, physical/logical 11.10(h) Device checks 4.8-Validation Personnel (who develop, users and maintain 11.10(i) 2-Personnel systems) User accountability for actions initiated under 11.10(j) Not covered e-signatures 9-Audit Trails, 4.2- change control and 11.10(k) Documentation control Deviations, 10-Change and Configuration Management, 11- Periodic evaluation Principle (all systems) 11.30 Controls for open systems 5. Data 31  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.50 Signature manifestations 14-Electronic Signature 11.70 Signature/record linking 14(b)-Electronic Signature Subpart C--Electronic Signatures 11.100 General requirements 11.100(a) Unique/not reused Not covered 11.100(b) Verify identity Not covered 11.100(c) Certify equivalent to handwritten 14(a) same as hand-written 11.200 Electronic signature components and controls. 11.200(a) Not based on biometrics 12.1-Security, physical/logical 12.1-Security, physical/logical 11.200(b) Based on biometrics 32  Cross-Reference from Annex 11 to Part 11 Annex 11 Part 11 Cross Reference Annex 11 Title Section No. (substantially equivalent) 11.300(a) Unique 12.1-Security, physical/logical 11. Periodic Evaluation 11.300(b) periodically checked 12.3-Security- record events 11.300(c) procedures to deauthorize 12.3-Security, record events 11.300(d) prevent unauthorized use 12.1-Security 11.300(e) proper function 11-Periodic evaluation 33  Conclusions Annex 11 for computerized systems impacts manufacturers who export to the EU and those who manufacture products in the EU. Close scrutiny of the parallel FDA and EU rules shows the authorities share a mutual intent to have safe, validated computer systems and qualified networks for drug and device manufacturing. Limited areas of Part 11 are dissimilar to Annex 11; these, for the most part, are limited to the verification of identity and accountability of actions by authorized individuals, as well as to the reporting to authorities. Part 11 applies to e-submissions to the FDA. Annex 11 is different from Part 11 in that it takes a risk management approach to criticality and emphasises a systems approach to periodic evaluations. Annex 11 is ‘how to’ while Part 11 is ‘thou shalt’ in tone. Together they form a robust and usable guide for computer validation professionals leading their companies and clients to compliance. 34 Thank You 35

Use Quizgecko on...
Browser
Browser