1 / 35

21 CFR Part 11 Electronic Records & Electronic Signatures

21 CFR Part 11 Electronic Records & Electronic Signatures. Svend Martin Fransen Principal Scientist, QS CRS Quality Services Novo Nordisk A/S. Contents . 21CFR11 history The important aspects of 21CFR11 Equivalent requirements in EU legislation

kobe
Download Presentation

21 CFR Part 11 Electronic Records & Electronic Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 21 CFR Part 11Electronic Records & Electronic Signatures Svend Martin Fransen Principal Scientist, QS CRS Quality Services Novo Nordisk A/S

  2. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  3. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  4. Why do we have computers? It has gradually become common knowledge that knowledge is the most important resource in the business of the future. It is the ability to create new knowledge and the ability to utilize and organizeexisting knowledge that will be the primary source for obtaining lasting competitive advantages. Peter Holdt Christensen: ”Viden om” – ledelse, viden og virksomheden

  5. What is 21CFR11? • 21CFR = FDA, Code of Federal Regulations • 21CFR58 = GLP • 21CFR210 = GMP, Drugs (General) • 21CFR211 = GMP, Drugs (Finished Pharmaceuticals) • 21CFR312 = Inv. New drug Application (GCP) • 21CFR314 = FDA Approval of new drug (GCP) • 21CFR6xx = GMP, biologics • 21CFR820 = GMP, Devices • 21CFR…… = Food, nutrients and cosmetics • 21CFR11 = Electronic Records; Electronic Signatures

  6. Historic overview • A wish from the Industry (use of ES) • FDA: • Final Draft i 1994 • Final Rule 20.March.1997, effective from 20.Aug.1997 • 4 draft guidelines, ’Glossary of Terms’, ’Validation’, ’Time stamps’ and ’Maintenance of ER’ • GAMP Part 11 guide, published Nov. 2001 (part 2) • PDA ”GERM” guide, published Sep. 2002 (part 1) • PDA ”GERM” guide ’Models’, expected 2003 (part 3)

  7. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  8. 21CFR11, Overview • Substantive rule from 20 August 1997 • Applies to any e-record in any FDA regulated work including legacy systems • Criteria for e-records and e-signatures: • Trustworthy and reliable • E-signatures = hand-written signatures • Minimum requirements / fraud prevention

  9. Systems not Applications • All definitions and clauses in 21 CFR 11 refer to systems • Application is not mentioned • IT part of the GXP environment. • Do they know? Application Instructions, Manuals, etc. -software Platform Equipment - hardware - system SW Computer system Controlled function Computer based system Working environment COMPUTER RELATED SYSTEM

  10. 21 CFR Part 11, Basics • Electronic records equivalent with paper records • Storage, retrieval and copying in full retention period • Submitting to FDA • Protection of electronic records • Security (physical and logical) • Validation • Audit trail (who did what, when including reason where req.) • Permission to use of electronic signature • Equivalent with handwritten signatures • Name, date and meaning • Linking of signature to record • Unique for an individual

  11. ORA, Compliance Policy Guide CPG 7153.17 (May 1999) • Acknowledging ‘not all older systems fully compliant by Aug 20, 1997’ • ‘firms must take steps to achieve full compliance’ • ‘Regulatory actions based on case by case evaluation’ • ‘FDA auditors should intensify their scrutiny of e-recs’ • Calls for firms to • have a ‘reasonable timetable’ • ‘promptly modify’ any system not in compliance • ‘be able to demonstrate progress’ • ‘have procedural controls in place by now’

  12. FDA 21CFR11 inspection questions (source: : 21CFR11 Compliance Report, Vol.2, No. 4). • Who is allowed to input data? • Who is allowed to change data? • How can you tell who entered the data? • How do you know which data had been changed? • When do you lock down the data input? • Can you do the following actions? “Show me some data, show me you can see the history of the data, show me you control the data life cycle.” • Is the system validated and are the requirements met? • Can you show me the results of the validation activities? • Does the validation include: “Pass/fail, signature, date/time stamp”; and “objective evidence - screen prints or page printouts with a link to the direction that generated the output.”?

  13. Earlham College, Warning Letter • In addition to the above listed violations, our Investigator noted that the laboratory is using an electronic record system for processing and storage of data from the atomic absorption and HPLC instruments that is • not set up to control the security and data integrity in that the system is not password controlled, • there is no systematic back-up provision, and • there is no audit trail of the system capabilities. • The system does not appear to be designed and controlled in compliance with the requirements of 21 CFR, Part 11, Electronic Records.

  14. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  15. EU • Annex 11, Computerised Systems • Personnel • Validation • System • Descriptions and SOP’s • Change control and configuration management • Records; entry, storage, retrieval • Audit trail • Security and Disaster recovery • etc.

  16. PIC/S Draft Guidance Good Practices for Computerised Systems in regulated ”GXP” environment • Computer System Life cycle, incl. • Electronic Records and Signatures • Security, and • Audit trail • Checklists for Inspection • Links ISO and IEEE standards, 21CFR11, APV guides, PDA Technical Reports together

  17. Quote from PIC/S Guide 21. ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES • 21.1 EC Directive 91/356 sets out the legal requirements for EU GMP. The GMP obligations include a requirement to maintain a system of documentation, (Article 9). The main requirements in Article 9.1 are that documents are clear, legible and up to date, that the system of documentation makes it possible to trace the history of manufacture (and testing) of each batch and that the records are retained for the required time. Article 9.2 envisages that this documentation may be electronic, photographic or in the form of another data processing system, rather than written. The main requirements here being that the regulated user has validated the system by proving that the system is able to store the data for the required time, that the data is made readily available in legible form and that the data is protected against loss or damage.

  18. Draft Proposal for a Commission Directive (30.Apr.2002) • Amending Commission Directive 91/356/EEC , Laying Down the Principles and Guidelines of Good Manufacturing Practice for Medicinal Products for Human Use • "When electronic, photographic or other data processing systems are used instead of written documents, the manufacturer or importer shall have validated the systems by proving that the data will be appropriately stored during the anticipated period of storage. Data stored by these systems shall be made readily available in legible form and shall be provided on demand to the competent authorities. For an investigational medicinal product when electronic, photographic or other data processing systems are used instead of written documents the manufacturer or importer shall have validated the systems to maintain the data during the required period of storage. Data stored by these systems shall be readily available in legible form and shall be provided on demand to the competent authorities."

  19. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  20. 21CFR11 Compliance Project • Purpose • Assist the units/system owners to prioritise the activities necessary to get in compliance over a limited period of time. • Scope • All Computer Systems within Novo Nordisk that • generate electronic records covered by regulatory requirements from FDA, • including the systems that utilise Electronic Signatures

  21. Overview of the 21CFR11 compliance project Development Product Supply Staffs, Quality, RA and other 21CFR11 project No. of systems today = 868 (PS) + 219 (Dev.) + 65 (others) = 1152 systems (..and more to come)

  22. 21CFR11 Compliance Project • Tasks • Secure cGxP for 21CFR11 at Novo Nordisk • Maintain corporate policy and interpretations • Responsible for project QAP reporting • Participate in external groups as NN representatives • Distribute knowledge to organisation through • Training (short courses and Site specific) • Knowledge and guidance database • Project web page • Guidelines

  23. Guidance database-web-enabled

  24. Activities in relation to Part 11 • Identify and register systems (overview) • Prioritise systems • Evaluate ”high-risk” systems • Evaluate ”medium- and low-risk” systems • Evaluate corrections/solutions • Prepare implementation plan • ”Quick fixes” • ”Full compliance, technical and procedural • Implement solutions

  25. Prioritisation of systems Regulatory Risk • GxP, support systems (20) Medium risk High risk • Other GxP critical, systems (11) Y Low risk Medium risk • Non-GxP systems (17) X Factor, based on: No. of records generated by the system, no. of users, frequency of use and system complexity

  26. Gradual achievement of compliance 40 20 Phase 2 20 Phase 1 60 20 50 20 Phase 1: Implement Site and system procedures Phase 2: Technology based solutions, etc.

  27. Deliverables from common workgroups • Evaluation of the system (gap-analysis) for technical issues • Evaluation of possible solutions • Recommendations and other input from supplier(s) • Recommended solutions, including • Draft or example of procedures • Description of technical solution • Estimated costs • Suggested implementation plan

  28. System registration QA System evaluation on Implementation plan Site approved track preparation on track LL K L A LL J J B J J J C J J K D J K LLL E J K K F J LL L G J J J H J J J I J K K J LL J K K LL J J L Progress Follow Up Example = On track = Ensure no further delay = Take action to catch up

  29. Examples of Pilot projects in production area • Kaye Validator • SCADA (Fix32) • Filter testing equipment (PALL) • Instron (replacement for..) • PE laboratory equipment (UV/VIS + ..) incl. replacements for..) • Usifroid freeze dryer • BMS (building monitoring systems) • ...more to come (due to standardisation)

  30. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  31. What can go wrong, will ... • HPCE (High Pressure Capillary Electrophoresis) Scenario: Replacement of chromatography software to Millennium and setting up an archive installation • 7 year old software • HW requirements to PC • Migration of ER from OS/2 to Win NT • Indexation of migrated data • ER on tape stored in safe • Use of archive installation • Training of users • SOPs

  32. Example for remediation • A hardware solution: • Control power supply to individual physical entities in a PC including keyboard and mouse • Solution is OS independent • User access is controlled via Smart card: • User profiles supported by pin code on the ZignX keyboard. • Logging of access attempts Further information: http://www.zignx.dk/

  33. Contents • 21CFR11 history • The important aspects of 21CFR11 • Equivalent requirements in EU legislation • The Novo Nordisk 21 CFR11 compliance project • Examples • Experiences learned

  34. Conclusions • Management commitment pivotal • Expensive and complex • Requires highly skilled project management • Risk-based prioritisation • FDA enforcement becomes tougher • and EU is on it’s way (DRAFT PIC/S Guidance) • Just do it..!

  35. Problem areas • Lack of knowledge in the organisation on • Computer Validation • 21 CFR Part 11 • Maintenance of computer systems • Purchase of non-compliant systems are ongoing • ”Part 11 compliant systems” do not exist • Administrative controls (= Company policies) • Procedural controls (= Company SOP’s) • Technical controls (= Supplier SW controls)

More Related