fda 21 cfr part 11 and related regulations and guidances
Post on 21-Jan-2015
1.003 Views
Preview:
DESCRIPTION
TRANSCRIPT
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
FDA 21 CFR 11 and Related
Regulations and Guidance
Part 1 – Review of Life Sciences IT
Security Requirements
Slide # 1Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Electronic Signatures
Fundamentals - Scope
• As stated elsewhere, records that have been
electronically signed must be secure,
accurate and reproducible in order for the
electronic signatures to have any validity
• Therefore our agenda will include laws,
regulations and binding guidance that bear
upon the electronic records required by the
―predicate rules‖ applicable to our regulated
products or components:
Slide # 2Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
e-Signature Regulations
and Guidance
• 21 CFR Part 11 – Electronic Records,
Electronic Signatures
– FDA – August 20, 1997
• Guidance for Industry
COMPUTERIZED SYSTEMS USED
IN CLINICAL TRIALS
– FDA – April, 1999
Slide # 3Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
• General Principles of Software
Validation; Final Guidance for Industry
and FDA Staff – FDA – January 11, 2002
• Guidance for Industry Part 11,
Electronic Records; Electronic
Signatures – Scope and Application– FDA – August 2003
Slide # 4
e-Signature Regulations
and Guidance
Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
e-Signature Regulations
and Guidance
• Volume 4 Good Manufacturing Practice
(GMP) Guidelines: Annex 11 Computerised
Systems
– Eudralex – Effective June 2011
• DRAFT Guidance for Industry – Responding
to Unsolicited Requests for Off-Label
Information About Prescription Drugs and
Medical Devices
– FDA - CDER, CBER, CVM, CDRH – December 2011
Slide # 5Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
e-Signature Predicate Rules –
US FDA
• 21 CFR PART 210 — CURRENT GOOD
MANUFACTURING PRACTICE IN MANUFACTURING,
PROCESSING, PACKING, OR HOLDING OF DRUGS;
GENERAL
• 21 CFR PART 211 — CURRENT GOOD
MANUFACTURING PRACTICE FOR FINISHED
PHARMACEUTICALS
• 21 CFR PART 820 — QUALITY SYSTEM REGULATION
• 21 CFR PART 821 — MEDICAL DEVICE TRACKING
REQUIREMENTS
Slide # 6Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Not ―Predicate Rules‖
But Touching the Subject
• U.S. Food Drug, & Cosmetic Act
– 21 USC 331 (Prohibited acts)
• Sarbanes – Oxley (SOX)
– Pub.L. 107-204, 116 Stat. 745, Jul. 30, 2002
• Gramm – Leach – Bliley (GLB)
– Pub.L. 106-102, 113 Stat. 1338, Nov. 12, 1999
• The Electronic Signatures in Global and National
Commerce Act (ESIGN)
– Pub.L. 106-229, 14 Stat. 464, enacted June 30, 2000, 15
U.S.C. ch.96
• Fed. Rules of Criminal & Civil Procedure & Evidence
Slide # 7Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Some Interesting Bits…
From the U.S. Congress
• 18 USC 1001 - False information
• 18 USC 1341 - Mail fraud
• 18 USC 1343 - Wire fraud
• 18 USC 1905 - Leaking information
Slide # 8Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
An Important Note About
21 CFR 11
This regulation applies to all electronic records,
including those that are NOT electronically signed.
21 CFR § 11.1 Scope. (b) This part applies to records in electronic
form that are created, modified, maintained, archived, retrieved, or
transmitted, under any records requirements set forth in agency
regulations. This part also applies to electronic records submitted to
the agency under requirements of the Federal Food, Drug, and
Cosmetic Act and the Public Health Service Act, even if such
records are not specifically identified in agency regulations.
Slide # 9Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
An Important Note About
Annex 11
Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 10
This regulation applies to all electronic records,
including those that are NOT electronically signed.
Principle
This annex applies to all forms of computerised systems used as
part of a GMP regulated activities. A computerised system is a set
of software and hardware components which together fulfill certain
functionalities.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
An Even More Important Note
About 21 CFR 11 / Annex 11
The only time that you will actually use the electronic
signatures on the electronic records will be when
SOMEONE IS A CRIMINAL.
We’re getting a little ahead of ourselves, but this is an
important concept to keep in mind:
There actually are real threats out there.
Slide # 11Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Electronic Signatures and
Catching Criminals
• We only check a signature when we doubt
the veracity of an electronic record.
• A document can be adulterated for only one
of two reasons: error or fraud.
• The technology’s ―integrity check‖ function
makes the probability of an unidentifiable
error extremely remote (i.e., 2128).
• Therefore, the very action of challenging a
signature is the equivalent of an accusation
of deliberate fraud (i.e., a crime).
Slide # 12Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Eudralex Volume 4 Good Manufacturing
Practice (GMP) Guidelines:
Annex 11 Computerised Systems
Effective June 2011
Slide # 13Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Principle / General
―Should‖ == ―must‖, validate the applications, qualify the
infrastructure, no decrease in quality or increase in risk
introduced by the computer system
1. Risk Management – Document a risk–managed
approach to the system lifecycle
Patient safety, data integrity, product quality
2. Personnel – Appropriate qualifications, access levels
and assigned responsibilities
3. Suppliers and Service Providers – Appropriate
agreements, audits based on risk assessments
More stringent than personnel requirements
Slide # 14Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Project Phase
4. Validation (It is interesting to note that all validation is
in this phase.)
4.1 – Risk assessment > life cycle steps > validation
documents
4.2 – Validation documents must include any change
control records and deviations
4.3 – Accurate GMP systems inventory with functions and
structures of critical ones
4.4 – There must be life-cycle traceable User
Requirements Specifications based on GMP risk
Slide # 15Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Project Phase
4.5 – The supplier should be ―assessed‖ to have used a
QMS during development
4.6 – Bespoke-code systems must have more rigorous
life-cycle reporting / controls
4.7 – There must be documented evidence of appropriate
system testing
4.8 – There must be documented evidence of accurate
data transfer or migration
Slide # 16Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Operational Phase
5. Data – Data exchanges require integrity checks
6. Accuracy Checks – Manual data entry (of critical data)
requires a second accuracy check.
– Risk analysis for criticality
– Manual or automated second check
7. Data Storage – Data must be secured physically and
logically, and these mechanisms must be verified
during validation and periodically re-verified.
8. Printouts – There must be printout capability for stored
data that includes before / after views of any changes
to batch release data.
Slide # 17Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Operational Phase
9. Audit Trails – There must be a risk assessment to
determine if an audit trail is required for changes or
deletions of GMP-related electronic records.
–System-generated, regularly reviewed, and the ―reason for
change‖ must be documented
–Although they are not required to be included within the
audit trail itself
10. Change and Configuration Management – must only
be done in a controlled manner via a defined
procedure
11. Periodic evaluation – More accurately, periodic re-
evaluation for function, problems, security, etc.
Slide # 18Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Operational Phase
12. Security
12.1 – Physical and logical controls
12.2 – Control extent based upon criticality
12.3 – Record operator ID and date / time for:
Creation , change, or cancellation, of credentials
12.4 – Record operator ID and date / time for:
Entering, changing, confirming, or deleting data
13. Incident Management – Report all Incidents , root
cause / CAPA of critical incidents
―Incident‖ is poorly defined
Slide # 19Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 –
Operational Phase
14. Electronic Signature(s) – Acceptable on electronic
records, allowed if they:
a. have the same impact as hand-written signatures
within the boundaries of the company,
b. are be permanently linked to their respective record,
c. include the time and date that they were applied.
15. Batch release – If a computerized system is used for
batch release, it must use e-signatures and a QP must
do the signing
16. Business Continuity – Required (paper backup?)
17. Archiving – Data ―may‖ be archived? If it is, the
archive must be tested, etc.
Slide # 20Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Annex 11 – Glossary
• Application
• Bespoke/Customized computerized system
• Commercial, off-the-shelf software
• IT Infrastructure
• Life cycle
• Process owner
• System owner
• Third Party
Slide # 21Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Recent Observations
In the Field: November 2011
Slide # 22
• 10,000+ employee manufacturer / service
company in regulated industries
– Defense, Aerospace, Telecom, etc.
• Inventory control and tracking experts
– Automated warehouse, barcodes, RFID, etc.
• Moving into Pharmaceutical / Medical Device
– Learning curve on 21 CFR 11, VV&Q, etc.
• Major findings by ―Big Pharma‖ audit teams:
– SDLC, Training Records, Device History Records,
CAPA, Change Control, Document Management
Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Recent Observations
In the Field: July 2011
Slide # 23
THE UNITED STATES ATTORNEY’S OFFICE
DISTRICT of NEW JERSEY
FOR IMMEDIATE RELEASE
July 1, 2011
Former Shionogi employee arrested, charged with
hack attack on company servers
NEWARK, N.J. – A Georgia man who allegedly froze the operations of a New Jersey
pharmaceutical company where he had worked by deleting portions of its computer network has
been federally charged in connection with the alleged attack, U.S. Attorney Paul J. Fishman
announced.
Jason Cornish, 37, of Smyrna, Ga., was arrested this morning near his residence by special agents
of the FBI on a Complaint charging him with knowingly transmitting computer code with the
intent to damage computers in interstate commerce. He is expected to make an initial appearance
this afternoon before US. Magistrate Judge Janet F. King in Atlanta federal court.
Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Recent Observations
In the Field: March 2011
• FDA CDER withholds Pre-Approval
Inspection for Manufacturing Facility
• FDA Inspectional Findings Inspection found
that NMR testing files could be deleted.
• Also, no audit trail for the spectra acquired
by the NMR.
• No audit trail for computer system running
heparin purity test
– I.e., Lot release criteria
Slide # 24Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
March 2011, FDA CDER
PAI Withhold
• Electronic data is the original raw data.
• Firm stated that they had used the hardcopy
data as official information and it was
archived.
• Investigator audited electronic files, and
found multiple electronic spectra with no
corresponding spectra in the hardcopy
archive.
• NMR instrument also not qualified.
– no IQ, OQ, or PQ
Slide # 25Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
TM
Subject:
The Hollis
Group, Inc.
Dept. App.
Reg. Aff.
QA
Manuf.
Purch.
R & D
Eng.
Infrastructure Assurance
Thanks! Any Questions?
Thomas Quinn, CISSP, AAA
The Hollis Group, Inc.
PO Box 187
Paoli, PA 19301
v - 610-889-7350
f - 610-296-2314
www.hollisgroup.com
tquinn@hollisgroup.com
Slide # 26Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.
top related