fda 21 cfr part 11 and related regulations and guidances

TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.

Infrastructure Assurance TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.

Infrastructure Assurance

FDA 21 CFR 11 and Related

Regulations and Guidance

Part 1 – Review of Life Sciences IT

Security Requirements

Slide # 1Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.

TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Electronic Signatures

Fundamentals - Scope

• As stated elsewhere, records that have been

electronically signed must be secure,

accurate and reproducible in order for the

electronic signatures to have any validity

• Therefore our agenda will include laws,

regulations and binding guidance that bear

upon the electronic records required by the

―predicate rules‖ applicable to our regulated

products or components:


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


e-Signature Regulations

and Guidance

• 21 CFR Part 11 – Electronic Records,

Electronic Signatures

– FDA – August 20, 1997

• Guidance for Industry

COMPUTERIZED SYSTEMS USED

IN CLINICAL TRIALS

– FDA – April, 1999


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


• General Principles of Software

Validation; Final Guidance for Industry

and FDA Staff – FDA – January 11, 2002

• Guidance for Industry Part 11,

Electronic Records; Electronic

Signatures – Scope and Application– FDA – August 2003

Slide # 4


and Guidance

Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc.

TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.



and Guidance

• Volume 4 Good Manufacturing Practice

(GMP) Guidelines: Annex 11 Computerised

Systems

– Eudralex – Effective June 2011

• DRAFT Guidance for Industry – Responding

to Unsolicited Requests for Off-Label

Information About Prescription Drugs and

Medical Devices

– FDA - CDER, CBER, CVM, CDRH – December 2011


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


e-Signature Predicate Rules –

US FDA

• 21 CFR PART 210 — CURRENT GOOD

MANUFACTURING PRACTICE IN MANUFACTURING,

PROCESSING, PACKING, OR HOLDING OF DRUGS;

GENERAL

• 21 CFR PART 211 — CURRENT GOOD

MANUFACTURING PRACTICE FOR FINISHED

PHARMACEUTICALS

• 21 CFR PART 820 — QUALITY SYSTEM REGULATION

• 21 CFR PART 821 — MEDICAL DEVICE TRACKING

REQUIREMENTS


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Not ―Predicate Rules‖

But Touching the Subject

• U.S. Food Drug, & Cosmetic Act

– 21 USC 331 (Prohibited acts)

• Sarbanes – Oxley (SOX)

– Pub.L. 107-204, 116 Stat. 745, Jul. 30, 2002

• Gramm – Leach – Bliley (GLB)

– Pub.L. 106-102, 113 Stat. 1338, Nov. 12, 1999

• The Electronic Signatures in Global and National

Commerce Act (ESIGN)

– Pub.L. 106-229, 14 Stat. 464, enacted June 30, 2000, 15

U.S.C. ch.96

• Fed. Rules of Criminal & Civil Procedure & Evidence


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Some Interesting Bits…

From the U.S. Congress

• 18 USC 1001 - False information

• 18 USC 1341 - Mail fraud

• 18 USC 1343 - Wire fraud

• 18 USC 1905 - Leaking information


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


An Important Note About

21 CFR 11

This regulation applies to all electronic records,

including those that are NOT electronically signed.

21 CFR § 11.1 Scope. (b) This part applies to records in electronic

form that are created, modified, maintained, archived, retrieved, or

transmitted, under any records requirements set forth in agency

regulations. This part also applies to electronic records submitted to

the agency under requirements of the Federal Food, Drug, and

Cosmetic Act and the Public Health Service Act, even if such

records are not specifically identified in agency regulations.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


An Important Note About

Annex 11

Doc. # 2521_00_06x © 2006 - 2012 The Hollis Group, Inc. Slide # 10

This regulation applies to all electronic records,

including those that are NOT electronically signed.

Principle

This annex applies to all forms of computerised systems used as

part of a GMP regulated activities. A computerised system is a set

of software and hardware components which together fulfill certain

functionalities.

TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


An Even More Important Note

About 21 CFR 11 / Annex 11

The only time that you will actually use the electronic

signatures on the electronic records will be when

SOMEONE IS A CRIMINAL.

We’re getting a little ahead of ourselves, but this is an

important concept to keep in mind:

There actually are real threats out there.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Electronic Signatures and

Catching Criminals

• We only check a signature when we doubt

the veracity of an electronic record.

• A document can be adulterated for only one

of two reasons: error or fraud.

• The technology’s ―integrity check‖ function

makes the probability of an unidentifiable

error extremely remote (i.e., 2128).

• Therefore, the very action of challenging a

signature is the equivalent of an accusation

of deliberate fraud (i.e., a crime).


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Eudralex Volume 4 Good Manufacturing

Practice (GMP) Guidelines:

Annex 11 Computerised Systems

Effective June 2011


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Principle / General

―Should‖ == ―must‖, validate the applications, qualify the

infrastructure, no decrease in quality or increase in risk

introduced by the computer system

1. Risk Management – Document a risk–managed

approach to the system lifecycle

Patient safety, data integrity, product quality

2. Personnel – Appropriate qualifications, access levels

and assigned responsibilities

3. Suppliers and Service Providers – Appropriate

agreements, audits based on risk assessments

More stringent than personnel requirements


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Project Phase

4. Validation (It is interesting to note that all validation is

in this phase.)

4.1 – Risk assessment > life cycle steps > validation

documents

4.2 – Validation documents must include any change

control records and deviations

4.3 – Accurate GMP systems inventory with functions and

structures of critical ones

4.4 – There must be life-cycle traceable User

Requirements Specifications based on GMP risk


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Project Phase

4.5 – The supplier should be ―assessed‖ to have used a

QMS during development

4.6 – Bespoke-code systems must have more rigorous

life-cycle reporting / controls

4.7 – There must be documented evidence of appropriate

system testing

4.8 – There must be documented evidence of accurate

data transfer or migration


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Operational Phase

5. Data – Data exchanges require integrity checks

6. Accuracy Checks – Manual data entry (of critical data)

requires a second accuracy check.

– Risk analysis for criticality

– Manual or automated second check

7. Data Storage – Data must be secured physically and

logically, and these mechanisms must be verified

during validation and periodically re-verified.

8. Printouts – There must be printout capability for stored

data that includes before / after views of any changes

to batch release data.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Operational Phase

9. Audit Trails – There must be a risk assessment to

determine if an audit trail is required for changes or

deletions of GMP-related electronic records.

–System-generated, regularly reviewed, and the ―reason for

change‖ must be documented

–Although they are not required to be included within the

audit trail itself

10. Change and Configuration Management – must only

be done in a controlled manner via a defined

procedure

11. Periodic evaluation – More accurately, periodic re-

evaluation for function, problems, security, etc.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Operational Phase

12. Security

12.1 – Physical and logical controls

12.2 – Control extent based upon criticality

12.3 – Record operator ID and date / time for:

Creation , change, or cancellation, of credentials

12.4 – Record operator ID and date / time for:

Entering, changing, confirming, or deleting data

13. Incident Management – Report all Incidents , root

cause / CAPA of critical incidents

―Incident‖ is poorly defined


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 –

Operational Phase

14. Electronic Signature(s) – Acceptable on electronic

records, allowed if they:

a. have the same impact as hand-written signatures

within the boundaries of the company,

b. are be permanently linked to their respective record,

c. include the time and date that they were applied.

15. Batch release – If a computerized system is used for

batch release, it must use e-signatures and a QP must

do the signing

16. Business Continuity – Required (paper backup?)

17. Archiving – Data ―may‖ be archived? If it is, the

archive must be tested, etc.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Annex 11 – Glossary

• Application

• Bespoke/Customized computerized system

• Commercial, off-the-shelf software

• IT Infrastructure

• Life cycle

• Process owner

• System owner

• Third Party


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Recent Observations

In the Field: November 2011

Slide # 22

• 10,000+ employee manufacturer / service

company in regulated industries

– Defense, Aerospace, Telecom, etc.

• Inventory control and tracking experts

– Automated warehouse, barcodes, RFID, etc.

• Moving into Pharmaceutical / Medical Device

– Learning curve on 21 CFR 11, VV&Q, etc.

• Major findings by ―Big Pharma‖ audit teams:

– SDLC, Training Records, Device History Records,

CAPA, Change Control, Document Management


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Recent Observations

In the Field: July 2011

Slide # 23

THE UNITED STATES ATTORNEY’S OFFICE

DISTRICT of NEW JERSEY

FOR IMMEDIATE RELEASE

July 1, 2011

Former Shionogi employee arrested, charged with

hack attack on company servers

NEWARK, N.J. – A Georgia man who allegedly froze the operations of a New Jersey

pharmaceutical company where he had worked by deleting portions of its computer network has

been federally charged in connection with the alleged attack, U.S. Attorney Paul J. Fishman

announced.

Jason Cornish, 37, of Smyrna, Ga., was arrested this morning near his residence by special agents

of the FBI on a Complaint charging him with knowingly transmitting computer code with the

intent to damage computers in interstate commerce. He is expected to make an initial appearance

this afternoon before US. Magistrate Judge Janet F. King in Atlanta federal court.


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Recent Observations

In the Field: March 2011

• FDA CDER withholds Pre-Approval

Inspection for Manufacturing Facility

• FDA Inspectional Findings Inspection found

that NMR testing files could be deleted.

• Also, no audit trail for the spectra acquired

by the NMR.

• No audit trail for computer system running

heparin purity test

– I.e., Lot release criteria


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


March 2011, FDA CDER

PAI Withhold

• Electronic data is the original raw data.

• Firm stated that they had used the hardcopy

data as official information and it was

archived.

• Investigator audited electronic files, and

found multiple electronic spectra with no

corresponding spectra in the hardcopy

archive.

• NMR instrument also not qualified.

– no IQ, OQ, or PQ


TM

Subject:

The Hollis

Group, Inc.

Dept. App.

Reg. Aff.

QA

Manuf.

Purch.

R & D

Eng.


Thanks! Any Questions?

Thomas Quinn, CISSP, AAA

The Hollis Group, Inc.

PO Box 187

Paoli, PA 19301

v - 610-889-7350

f - 610-296-2314

www.hollisgroup.com

[email protected]


http://www.hollisgroup.com/

mailto:[email protected]

fda 21 cfr part 11 and related regulations and guidances

Documents

hollis group

qaqa group

electronic signatures

records requirements

rd rdeng

esignature regulations

draft guidance

guidance volume