pwc 21 cfr part 11 – a risk management perspective patrick d. roche 07 march 2003, washington d.c

19
21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C.

Upload: nicholas-hodges

Post on 01-Jan-2016

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

21 CFR Part 11 – A Risk Management

Perspective

Patrick D. Roche

07 March 2003, Washington D.C.

Page 2: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Proposed Agenda

• Recent 21 CFR Part 11 Developments

• Risk Management Perspective

• Potential Integration with other Legislation

• Examples

• Conclusion

Page 3: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Recent Developments•CDER is now responsible for enforcement of 21 CFR Part 11

•All previous Part 11 guidance has been withdrawn

• New draft guidance has been provided

• Draft guidance acknowledges that:

• Statements made by agency staff may have been misinterpreted as policy

• The use of technology has been restricted, contrary to the agency’s intent

• The cost of compliance far exceeds the agency’s expectations

• Part 11 has discouraged innovation without a significant public health benefit

Page 4: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Recent Developments

•Part 11 is being re-examined and may be revised

• Certain areas will be subject to enforcement discretion (validation, audit trails, record retention and record copying)

• All other areas will continue to be enforced

Page 5: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Recent Developments

•Narrow Scope – Part 11 applies when persons choose to use records in electronic format in place of paper records

•Decisions to rely on paper or electronic records should be documented

• Audit Trail– A risk-based approach should be followed where audit trails are not required by

predicate rules– Focus on adds, changes or deletions of records that impact quality, safety and efficacy

•Validation– A risk-based approach should be followed where validation is not required by predicate

rules– Word processing software that is used to create paper-based SOPs would likely not

require validation

•Copies of records

•Record Retention - Risk Assessment driven

Page 6: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Recent Developments

•There are wide ranging opinions regarding what these changes mean

• Key messages:

• Part 11 is not going to go away

• The changes should not significantly modify your approach

• One size does not fit all

• Focus on risk management – an effective internal control structure that protects product safety, quality and efficacy

Page 7: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Risk Management Perspective• Everything is not important – only those things that impact quality, safety or efficacy

• Risk – anything that can prevent an objective from being met

• Consider an ORCA Approach

• Analyze Business Process

• Understand Quality Related Objectives

• What are the Risks that could impact the objectives?

• What Controls must be established to mitigate the risks?

• Validation provides evidence that the controls are in place and Aligned with objectives and risks

• If system based controls are not in place, what other mitigating controls can be established?

• Document risk assessment and decision process

Page 8: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Linkage of 21 CFR Part 11 with COSO and Sarbanes Oxley

COSO Structure

COSO Component

Business Process

Transaction

Control Objective

Risk

Control Activities

Transaction

Control Objective

Risk

Control Activity

Issue

Action Plan

Testing

Page 9: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Examples

•Business Process – Procurement

•IT Infrastructure

Function Sub-Process

Objective Risks Impact

Procurement Create a purchase order

Purchases can only be sourced to qualified vendors

Appropriate controls are not established to ensure that vendors are qualified. Vendor master file controls have not been established to prevent purchases from unqualified vendors No Vendor Audit Program in Place

Variation in quality of product Rejection of product Inventory shortages Impact on quality and safety

Page 10: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

Procurement - Example

Page 11: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Procurement & Vendor Qualification

Vendor Evaluation

and Qualification

Vendor Master Maintenance

Material or Service Master Maintenance

Contracts and Pricing

Vendor Confirmation

Create Purchase Requisitions and Purchase Order (PO)

Goods Receipt and Reconciliation

Return to Vendor

NONO

Payment to Vendor

YESYES

Material Qualification

** MT: Material Traceability must be defined after a material is accepted and qualified. This includes the assignment of unique lot numbers after receipt at a manufacturing site. **

MTMT

Page 12: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

People, Process and Technology

ProcessesProcesses PeoplePeople TechnologyTechnology

New Vendors are selected Purchasing Personnel

New Vendors areQualified by QM Personnel

Procurement ofRaw Materials

Receipt of Goods

Material Qualification

Material Traceability-Assign Lot Numbers

Vendor Payments

SOPSOP

SOPSOP

SOPSOP

Quality ManagementPersonnel

Quality ManagementPersonnel

Purchasing Personnel

Warehouse Personnel

Warehouse or Operations Personnel

Purchasing Personnel

System records VendorQualification details

System records MaterialQualification details

Material lot numbers and tracking recorded

in the system

Vendor Setup in system

Payment generated from system

Page 13: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Procurement & Vendor Qualification

Vendor Evaluation & Qualification Controls:Vendor Evaluation & Qualification Controls:

Audit Trails for Vendor Qualification are established, including appropriate electronic record and signature requirements to meet 21 CFR Part 11

Vendor Qualification policies and procedures have been established and implemented

Vendor Qualifications are restricted to authorized personnel Materials must be procured only from qualified vendors Quality procedures are distributed to approved vendors on a regular

basis and are included as part of the negotiations for new external sourcing arrangements

Associated Risk/Consideration:Associated Risk/Consideration:

Unauthorized vendors may be found in the Master Vendor File Materials may be procured from unqualified vendors Approved vendors may not meet FDA requirements Regulatory exposure Records of vendor qualification reviews and results may be

inappropriate or not exist

Page 14: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Address Book Controls

Vendor Address Book Maintenance Controls:Vendor Address Book Maintenance Controls:

Restricted access to Vendor Master File Vendor Master File changes are tracked via an associated audit

trail Electronic signatures and records are maintained as appropriate

for all Vendor Master Changes in accordance 21 CFR Part 11

Associated Risk/Consideration:Associated Risk/Consideration:

Unauthorized purchases may result Unauthorized payments to vendors may occur Duplicate Vendor Master records may exist Changes to vendor Master files may not be cGMP compliant as

accurate, traceable and approved Regulatory exposure

Page 15: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

Example – IT Infrastructure

Page 16: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

IT Infrastructure Example

Database server

Application server

Presentationserver

Business Process Controls

Authorizations and Security

Testing, Conversion & project management

Operating System Security

Change Control

Backup, Recovery and Contingency

Planning

Physical Security

Database Management

Integrity

Enterprise Security

Policies & Procedures

Internet Firewalls

Legacy System Interfaces

Page 17: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Conclusion

• Don’t stop your Part 11 efforts

• Re-examine your approach in light of the new guidance

• Don’t over complicate the process

• Think process and then technology

• Incorporate risk management concepts wherever possible

• Document risk assessment and decision processes

Page 18: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C

PricewaterhouseCoopers

Contact Information

• Patrick D. Roche,

• Florham Park, NJ

• (973)236-4844

Page 19: PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C