9/17/2012
Part 11 Compliance do I need to comply with 21 CFR 11 today?
John Avellanet Cerulean Associates LLC www.CeruleanLLC.com Cosmetic Science Symposium 2012 Newark, New Jersey
Acknowledgements ted treece dan o’leary mike weber darlene strauss nancy singer cathleen owen andy villers kevin stroop dave short ron stroud larry nicholson martin browning simon elleway jackie cassada gloria melnick jonathan lee denise dion gary wells steve niedelman
www.Ceruleanllc.com
2
Agenda 21 CFR 11 Today Lean Compliance Strategy Quick Steps for Success
This is not legal advice. Information in this presentation draws upon a variety of sources, including published warning letters, personal experiences, interviews and research, all or any of which may or may not have been prepared or conducted by Cerulean Associates LLC. Cerulean Associates LLC does not provide a warranty concerning the accuracy of the information contained in this presentation. The contents of this presentation are intended for general information only and should not be construed as legal advice. Cerulean Associates LLC assumes no liability for actions taken or not taken as a result of the information in this presentation. This presentation is copyrighted 2012 by Cerulean Associates LLC, all rights reserved.
www.Ceruleanllc.com
3
1
9/17/2012
what is “part 11”? special enforcement investigator instructions relevant warning letters
21 CFR 11 TODAY www.Ceruleanllc.com
4
What is “Part 11”? • Drafted in early 1990s • Published in 1997 • Established conditions under which FDA would consider erecords (and signatures) to be the equivalent of paper records and pen/ink signatures • Applies to all data (and signatures) required under any FDA regulation www.Ceruleanllc.com
5
“For electronic records to have the same integrity as paper records, they must be developed, maintained, and used under circumstances that make it difficult for them to be inappropriately modified.” - Steve Wilson, Deputy Director, FDA
www.Ceruleanllc.com
6
2
9/17/2012
Part 11 Requirements • • • • • • • • • • • • • • • •
Validation of computerized systems (§11.10(a)) Controls around e-record copies (§11.10(b)) Protection of retained e-records and data (§11.10(c)) Limiting access to authorized users (§11.10(d)) Time-stamped, automated audit trails (§11.10(e)) Operational/sequential activity checks (§11.10(f)) Authority-level checks (§11.10(g)) Automated boundary and data input checks (§11.10(h)) Limiting access to trained personnel (§11.10(i)) Written policies and SOPs (§11.10(j)) Controls/segregations around computer system documentation (§11.10(k)) Change control specific to computerized systems and documentation thereof (§11.10(k)) Verification of open v. closed systems (§11.10(j)) Linkage to signature and records (§11.70) Conditions for biometrics usage (§11.200) Conditions for userIDs and password usage (§11.300)
www.Ceruleanllc.com
7
26 ads for “computer validation”
“Validate everything!”
18 ads for “software validation” www.Ceruleanllc.com
8
Narrowed Scope Guidance “ The Agency intends
to exercise enforcement discretion regarding specific part 11 requirements….”
www.Ceruleanllc.com
9
3
9/17/2012
“Part 11 did not go away. It addresses how electronic records required under other FDA regulations must be maintained.” - George Smith, Chair of FDA Part 11 Working Committee
www.Ceruleanllc.com
10
FDA’s Part 11 Acronym Electronic records/data have integrity that are…
Accurate Legible/Long-Lasting Contemporaneous Original Attributable www.Ceruleanllc.com
11
“Okay…but how does that apply to me?”
www.Ceruleanllc.com
12
4
9/17/2012
“For electronic records to have the same integrity as paper records, they must be developed, maintained, and used under
CONTROLS that make it difficult for them to be inappropriately modified.” - Steve Wilson, Deputy Director, FDA CDER
www.Ceruleanllc.com
13
Translation what controls do you have so that
FDA can rely on your data?
www.Ceruleanllc.com
14
Special Enforcement • Announced July 8, 2010 • Goals: – assess state of industry’s understanding ... or … continuing misinterpretations – focus strictly on e-records – extend scrutiny of issues found since 2007 – determine next steps for Part 11
www.Ceruleanllc.com
15
5
9/17/2012
Investigator Instructions If a firm is keeping electronic records, determine if they are in compliance with 21 CFR Part 11. At a minimum, ensure that: (1)
(2) (3)
the firm has prepared a plan for achieving full compliance with part 11 requirements and is making progress toward completing that plan in a timely manner accurate and complete electronic and human readable copies of electronic records, suitable for review, are made available employees are held accountable and responsible for actions.
If initial findings indicate the firm’s electronic records may not be trustworthy and reliable, or when electronic recordkeeping systems inhibit meaningful FDA inspection, a more detailed evaluation may be warranted. - FDA Enforcement Compliance Policy Manual, Attachment A www.Ceruleanllc.com
16
“ Documents and e-data spend more than 80% of their lifespan in an archived (e.g., stored) state. ” - ARMA International
www.Ceruleanllc.com
17
e-Record INTEGRITY
www.Ceruleanllc.com
18
6
9/17/2012
Example Warning Letters
“It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered [without control].” -
Warning Letter to Tomita Pharmaceutical Co., January 2008
www.fda.gov/ICECI/EnforcementActions/WarningLetters/2008/ucm1048433.htm
www.Ceruleanllc.com
19
Example Warning Letters
“Failure to have complete and reliable laboratory control records derived from all tests conducted to ensure compliance with established specifications and standards. For example, the only record available was an Excel spreadsheet with values entered to calculate the final assay results. In addition, some of the HPLC chromatographs of the lots tested were not included.” -
Warning Letter to Moehs Cantabra, April 2011
www.fda.gov/ICECI/EnforcementActions/WarningLetters/2011/ucm254065.htm
www.Ceruleanllc.com
20
Example Warning Letters
“We highly recommend that you hire a third party auditor with experience in detecting data integrity problems, who may assist you in evaluating your serious CGMP deviations.” -
Warning Letter to Yag Mag Labs Private Limited, September 2011
www.fda.gov/ICECI/EnforcementActions/WarningLetters/2011/ucm271708.htm
www.Ceruleanllc.com
21
7
9/17/2012
Example Warning Letters
“Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel. …you have no assurance of the integrity of the data or the functionality of the software used to determine test results.” -
Warning Letter to Biochem Laboratories, February 2012
www.fda.gov/ICECI/EnforcementActions/WarningLetters/2012/ucm292891.htm
www.Ceruleanllc.com
22
Example Warning Letters “Your firm has not established appropriate controls designed to ensure that […] electronic records include all data…. The violation listed under […], raises serious concerns regarding the lack of quality oversight and poor CGMP documentation practices at your facility. In response to this letter, provide your comprehensive corrective action plan, with supportive information, including revised procedures, training records and additional preventative and systematic actions you will implement to assure integrity of all CGMP records.” -
Warning Letter to Compania Internactional de Comercio, June 2012 www.fda.gov/ICECI/EnforcementActions/WarningLetters/2011/ucm271708.htm
www.Ceruleanllc.com
23
“Part 11 controls are aimed to preserve content and meaning throughout the required record retention period, ensure security and integrity to avoid unauthorized or unintended creation, modification or deletion, and limit access to make sure that specific system functions are performed only by authorized individuals.” - George Smith, Chair of FDA Part 11 Working Committee
www.Ceruleanllc.com
24
8
9/17/2012
three P’s narrow the scope prioritize with risk next steps to consider
LEAN COMPLIANCE STRATEGY
www.Ceruleanllc.com
25
Part 11 Requirements • • • • • • • • • • • • • • • •
Validation of computerized systems (§11.10(a)) Controls around e-record copies (§11.10(b)) Protection of retained e-records and data (§11.10(c)) Limiting access to authorized users (§11.10(d)) Time-stamped, automated audit trails (§11.10(e)) Operational/sequential activity checks (§11.10(f)) Authority-level checks (§11.10(g)) Automated boundary and data input checks (§11.10(h)) Limiting access to trained personnel (§11.10(i)) Written policies and SOPs (§11.10(j)) Controls/segregations around computer system documentation (§11.10(k)) Change control specific to computerized systems and documentation thereof (§11.10(k)) Verification of open v. closed systems (§11.10(j)) Linkage to signature and records (§11.70) Conditions for biometrics usage (§11.200) Conditions for userIDs and password usage (§11.300)
www.Ceruleanllc.com
26
Example Part 11 Controls • • • • • • • • • • • • • • • • • • •
Individual user names and passcodes (incl. biometrics) Encryption Policies, SOPs, work instructions Training (initial and refresher) Automated data boundary limits (incl. field rules, field highlighting, etc.) Audit trails (incl. reviews, automated alerts, etc.) Virus protection Log files (automated and manual) IQ\OQ\PQ of systems Qualified personnel installation and configuration Locked system configurations (from loadsets to user permissions to HMIs) Locked documents (such as a locked PDF) Read-only network folders IT supplier/vendor qualification Network topology documents and monitoring Periodic internal audits of documentation, system-generated records, and processes Annual e-records management and retention reviews Mock FDA audits (incl. IT controls gap assessments) Data maps tied to process work flows ....and much, much more
www.Ceruleanllc.com
27
9
9/17/2012
“ Gaah! That’s… a lot. How do we narrow the focus?”
www.Ceruleanllc.com
28
“Part 11 controls are aimed to preserve content and meaning throughout the required record retention period, ensure security and integrity to avoid unauthorized or unintended creation, modification or deletion, and limit access to make sure that specific system functions are performed only by authorized individuals.” - George Smith, Chair of FDA Part 11 Working Committee
www.Ceruleanllc.com
Process
29
• functions • record generation
Protect
• information within record
Preserve www.Ceruleanllc.com
• record • context
30
10
9/17/2012
“ So…we need a plan to process, protect and preserve our e-records…yes?”
www.Ceruleanllc.com
31
Lean Compliance Plan Step 1:
Narrow Scope
Step 5:
Step 2:
Maintain & Update
Prioritize w/Risk
Step 4:
Step 3:
Implement & Verify
Define Controls
www.Ceruleanllc.com
32
Narrow the Scope
www.Ceruleanllc.com
33
11
9/17/2012
Narrow the Scope
FDA regulated records www.Ceruleanllc.com
34
Translation focus Part 11 compliance efforts
on “regulated” records
www.Ceruleanllc.com
35
Narrow the Scope Standard Operating Procedure
Quality Management System
Determining 21 CFR 11 Applicability SOP Cerulean
download this sample SOP at: www.ceruleanllc.com/resources/pcp2012 www.Ceruleanllc.com
36
12
9/17/2012
Lean Compliance Plan
www.Ceruleanllc.com
37
Prioritize with Risk
FDA regulated records www.Ceruleanllc.com
38
Rationale (Risk-Based) relationship to safety relationship to effectiveness
What could go wrong if… • data/records lose integrity? • software/systems become corrupt?
relationship to risk mitigation relationship to proving operational state-of-control
www.Ceruleanllc.com
39
13
9/17/2012
Prioritize with Risk Nonconforming products will directly lead to... ... product failure ... consumer injury ... noncompliance … liability danger (… extra costs)
www.Ceruleanllc.com
40
Prioritize with Risk Records that are wrong will directly lead to... ... product failure ... consumer injury ... noncompliance … liability danger (… extra costs)
www.Ceruleanllc.com
41
Translation prioritize activities and progress on
high-risk systems and data
www.Ceruleanllc.com
42
14
9/17/2012
Prioritize with Risk Master Validation Plan (MVP) • clarify risk rationale • summarize risk assessments by system • summarize validation “focus” by system • layout overall timelines • keep momentum going
Standard Operating Procedure
Quality Management System
Master Validation Plan SOP
Cerulean
www.Ceruleanllc.com
43
Lean Compliance Plan Step 1:
Narrow Scope
Step 5:
Step 2:
Maintain & Update
Prioritize w/Risk
Step 4:
Step 3:
Implement & Verify
Define Controls
www.Ceruleanllc.com
44
QUICK STEPS FOR SUCCESS talk to management involve IT and RM educate the team when to get an outside expert cost-effective tasks for the expert
www.Ceruleanllc.com
45
15
9/17/2012
Talk to Senior Management • Show them sample enforcement actions that have humiliated other firms • Explain how Part 11 is about records integrity “Can the agency trust our records?” • Discuss how this records-focus can help limit the scope and cost (and avoid mistakes of the past) • Suggest next steps to build momentum & refine focus • • • •
hold an executive workshop on FDA’s expectations of senior management obtain a C-level management sponsor assemble a cross-functional team consider getting an outside expert “on-call”
www.Ceruleanllc.com
46
Involve IT and RM Points to Consider: • Are they familiar with FDA’s A.L.C.O.A. acronym for data integrity? • Do cross-departmental checks and communication occur (does IT talk with Records Management and vice versa)? • Have IT and RM suppliers been qualified? • Are IT and RM policies and SOPs up-to-date? • Can IT and RM policies and SOPs be re-used for Part 11 compliance efforts? www.Ceruleanllc.com
47
Educate the Team Topics to Consider: • How to validate in-house developed versus purchased commercial (COTS) systems • Steps to control and monitor outsourced IT vendors • How to document risk management activities • What to vs. not include in documentation & testing • How to keep validation costs at less than 30% of overall system cost
www.Ceruleanllc.com
48
16
9/17/2012
If you have these questions…. • What is too much/too little in a system inventory? • What are “suitable methods” for stopping unauthorized access? • How do we design our network and set up our computers for data integrity? • When can investigators ask for system access? • Do we have to keep all of our electronic raw data? • How do we translate “record integrity” into budget items? • How does an audit trail prove “safety and efficacy”? • Do we need an audit trail on our audit trail? • Can we destroy e-records if we just print and keep paper copies? www.Ceruleanllc.com
49
Example Outside Expert Tasks • Run a workshop on Part 11 (and Annex 11) • Develop a Part 11 questionnaire or audit checklist for you or your suppliers • Process map current Part 11-related SOPs to streamline implementation • Create data maps of critical business systems • Draft validation protocols for critical systems • Conduct a gap analysis or mock FDA audit • • • •
master validation protocol critical business system Part 11 validation protocols Part 11-relevant SOPs, forms, etc. post-review serving “on-call” to answer questions, follow-ups (teleconsulting)
www.Ceruleanllc.com
50
Agenda Recap 21 CFR 11 Today Lean Compliance Strategy Quick Steps for Success
Checklists and other reference material discussed during this session are available online (until 10/12/2012) at: www.ceruleanlllc.com/resources/pcp2012
www.Ceruleanllc.com
51
17
9/17/2012
Reference Material Available through Friday, 12 October 2012 at www.ceruleanllc.com/resources/pcp2012 – sample SOP: Determining 21 CFR 11 Applicability – checklist: 27-Point Part 11 Self-Assessment – article: “FDA 21 CFR 11 – Where is FDA’s Special Enforcement Headed?” from Contract Pharma – PDF copy of these slides www.Ceruleanllc.com
52
Next Step Suggestions 1. 2. 3. 4. 5. 6.
Download today’s reference material (available until 10/12/2012) at www.ceruleanllc.com/resources/pcp2012 Verify that you have a functional and up-to-date records retention schedule and policy Verify you have a usable risk assessment methodology in SOP format Write an SOP on determining Part 11 applicability (see sample in reference material and slide 36) Follow the quick steps (slides 46-48) to create a cross-functional Part 11 compliance team Schedule an independent IT controls review or a mock FDA Part 11-based audit within the next 2 years
www.Ceruleanllc.com
53
About Your Presenter John Avellanet delivers practical solutions to compliance challenges to clients around the world. Winner of the 2009 & 2011 Best of Business Services award by the Small Business Commerce Association, Mr. Avellanet has earned international acclaim for his business-savvy, pragmatic FDA compliance advice. His latest book, Get to Market Now! Turn FDA Compliance into a Competitive Edge, was featured at BIO 2011 and has garnered multiple five-star reviews from industry publications, blogs, Amazon.com readers, and former FDA officials.
[email protected] www.Ceruleanllc.com
He has a breadth of experience designing, implementing, and being accountable for quality systems and compliance programs for FDA, DEA, ICH, GHTF, and ISO. For more than 15 years, John was directly accountable for regulatory compliance, records management, and information technology, most recently as a C-level executive for a Fortune 50 combination device subsidiary. In 2006, Mr. Avellanet founded his independent lean compliance consulting and training firm, Cerulean Associates LLC.
www.Ceruleanllc.com
54
18
9/17/2012
About Your Presenter Recent Resume Highlights • 2011-2013 IRO for Dr Comfort Consent Decree • 2011-2012 Sedona Conference Working Group • 2010 and 2011 Top 10 FDA Compliance Blog • 2010 Top 50 Pharma/Biotech Blog • 2009 and 2011 Best of Business Services Award • 2008-2012 Guest Lecturer at NIH • 2006 Lifetime Achievement Award – Who’s Who of Biopharma & Device Executives • Lead author of 2 certification courses for RAPS
[email protected] www.ceruleanllc.com
FDA Lean Compliance Consulting Services • Process map and streamline SOPs and policies • Perform audits for compliance and cost-effectiveness • Develop records management policies and RRS • Write and improve Part 11 protocols and reports • Conduct QS & compliance training and workshops • Serve as consent decree IRO and litigation support
www.Ceruleanllc.com
55
Picture Credits Photos, images and clip art that appear on these slides have been used to enhance this presentation and may NOT be used for commercial or promotional purposes without permission from copyright holders. Do not remove or copy from this presentation.
Contact: iStockphoto.com Fotolia Microsoft Corporation Cerulean Associates LLC
www.Ceruleanllc.com
56
19