pwc 21 cfr part 11 – a risk management perspective patrick d. roche 07 march 2003, washington d.c

21 CFR Part 11 – A Risk Management

Perspective

Patrick D. Roche

07 March 2003, Washington D.C.

PricewaterhouseCoopers

Proposed Agenda

• Recent 21 CFR Part 11 Developments

• Risk Management Perspective

• Potential Integration with other Legislation

• Examples

• Conclusion


Recent Developments•CDER is now responsible for enforcement of 21 CFR Part 11

•All previous Part 11 guidance has been withdrawn

• New draft guidance has been provided

• Draft guidance acknowledges that:

• Statements made by agency staff may have been misinterpreted as policy

• The use of technology has been restricted, contrary to the agency’s intent

• The cost of compliance far exceeds the agency’s expectations

• Part 11 has discouraged innovation without a significant public health benefit


Recent Developments

•Part 11 is being re-examined and may be revised

• Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying)

• All other areas will continue to be enforced


Recent Developments

•Narrow Scope – Part 11 applies when persons choose to use records in electronic format in place of paper records

•Decisions to rely on paper or electronic records should be documented

• Audit Trail– A risk-based approach should be followed where audit trails are not required by

predicate rules– Focus on adds, changes or deletions of records that impact quality, safety and efficacy

•Validation– A risk-based approach should be followed where validation is not required by predicate

rules– Word processing software that is used to create paper-based SOPs would likely not

require validation

•Copies of records

•Record Retention - Risk Assessment driven


Recent Developments

•There are wide ranging opinions regarding what these changes mean

• Key messages:

• Part 11 is not going to go away

• The changes should not significantly modify your approach

• One size does not fit all

• Focus on risk management – an effective internal control structure that protects product safety, quality and efficacy


Risk Management Perspective• Everything is not important – only those things that impact quality, safety or efficacy

• Risk – anything that can prevent an objective from being met

• Consider an ORCA Approach

• Analyze Business Process

• Understand Quality Related Objectives

• What are the Risks that could impact the objectives?

• What Controls must be established to mitigate the risks?

• Validation provides evidence that the controls are in place and Aligned with objectives and risks

• If system based controls are not in place, what other mitigating controls can be established?

• Document risk assessment and decision process


Linkage of 21 CFR Part 11 with COSO and Sarbanes Oxley

COSO Structure

COSO Component

Business Process

Transaction

Control Objective

Risk

Control Activities

Transaction

Control Objective

Risk

Control Activity

Issue

Action Plan

Testing


Examples

•Business Process – Procurement

•IT Infrastructure

Function Sub-Process

Objective Risks Impact

Procurement Create a purchase order

Purchases can only be sourced to qualified vendors

Appropriate controls are not established to ensure that vendors are qualified. Vendor master file controls have not been established to prevent purchases from unqualified vendors No Vendor Audit Program in Place

Variation in quality of product Rejection of product Inventory shortages Impact on quality and safety

Procurement - Example


Procurement & Vendor Qualification

Vendor Evaluation

and Qualification

Vendor Master Maintenance

Material or Service Master Maintenance

Contracts and Pricing

Vendor Confirmation

Create Purchase Requisitions and Purchase Order (PO)

Goods Receipt and Reconciliation

Return to Vendor

NONO

Payment to Vendor

YESYES

Material Qualification

** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. **

MTMT


People, Process and Technology

ProcessesProcesses PeoplePeople TechnologyTechnology

New Vendors are selected Purchasing Personnel

New Vendors areQualified by QM Personnel

Procurement ofRaw Materials

Receipt of Goods

Material Qualification

Material Traceability-Assign Lot Numbers

Vendor Payments

SOPSOP

SOPSOP

SOPSOP

Quality ManagementPersonnel

Quality ManagementPersonnel

Purchasing Personnel

Warehouse Personnel

Warehouse or Operations Personnel

Purchasing Personnel

System records VendorQualification details

System records MaterialQualification details

Material lot numbers and tracking recorded

in the system

Vendor Setup in system

Payment generated from system


Procurement & Vendor Qualification

Vendor Evaluation & Qualification Controls:Vendor Evaluation & Qualification Controls:

Audit Trails for Vendor Qualification are established, including appropriate electronic record and signature requirements to meet 21 CFR Part 11

Vendor Qualification policies and procedures have been established and implemented

Vendor Qualifications are restricted to authorized personnel Materials must be procured only from qualified vendors Quality procedures are distributed to approved vendors on a regular

basis and are included as part of the negotiations for new external sourcing arrangements

Associated Risk/Consideration:Associated Risk/Consideration:

Unauthorized vendors may be found in the Master Vendor File Materials may be procured from unqualified vendors Approved vendors may not meet FDA requirements Regulatory exposure Records of vendor qualification reviews and results may be

inappropriate or not exist


Address Book Controls

Vendor Address Book Maintenance Controls:Vendor Address Book Maintenance Controls:

Restricted access to Vendor Master File Vendor Master File changes are tracked via an associated audit

trail Electronic signatures and records are maintained as appropriate

for all Vendor Master Changes in accordance 21 CFR Part 11

Associated Risk/Consideration:Associated Risk/Consideration:

Unauthorized purchases may result Unauthorized payments to vendors may occur Duplicate Vendor Master records may exist Changes to vendor Master files may not be cGMP compliant as

accurate, traceable and approved Regulatory exposure

Example – IT Infrastructure


IT Infrastructure Example

Database server

Application server

Presentationserver

Business Process Controls

Authorizations and Security

Testing, Conversion & project management

Operating System Security

Change Control

Backup, Recovery and Contingency

Planning

Physical Security

Database Management

Integrity

Enterprise Security

Policies & Procedures

Internet Firewalls

Legacy System Interfaces


Conclusion

• Don’t stop your Part 11 efforts

• Re-examine your approach in light of the new guidance

• Don’t over complicate the process

• Think process and then technology

• Incorporate risk management concepts wherever possible

• Document risk assessment and decision processes


Contact Information

• Patrick D. Roche,

• Florham Park, NJ

• (973)236-4844

pwc 21 cfr part 11 – a risk management perspective patrick d. roche 07 march 2003, washington d.c

Documents