21 CFR Part 11 Electronic Records

1
21 CFR Part 11Electronic Records Electronic
Signatures

• Svend Martin Fransen
• Principal Scientist,
• QS CRS Quality Services
• Novo Nordisk A/S

2
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

3
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

4
Why do we have computers?
It has gradually become common knowledge that
knowledge is the most important resource in the
business of the future. It is the ability to
create new knowledge and the ability to utilize
and organize existing knowledge that will be the
primary source for obtaining lasting competitive
advantages. Peter Holdt Christensen Viden om
ledelse, viden og virksomheden
5
What is 21CFR11?

• 21CFR FDA, Code of Federal Regulations
• 21CFR58 GLP
• 21CFR210 GMP, Drugs (General)
• 21CFR211 GMP, Drugs (Finished Pharmaceuticals)
• 21CFR312 Inv. New drug Application (GCP)
• 21CFR314 FDA Approval of new drug (GCP)
• 21CFR6xx GMP, biologics
• 21CFR820 GMP, Devices
• 21CFR Food, nutrients and cosmetics
• 21CFR11 Electronic Records Electronic
  Signatures

6
Historic overview

• A wish from the Industry (use of ES)
• FDA
• Final Draft i 1994
• Final Rule 20.March.1997, effective from
  20.Aug.1997
• 4 draft guidelines, Glossary of Terms,
  Validation, Time stamps and Maintenance of
  ER
• GAMP Part 11 guide, published Nov. 2001 (part 2)
• PDA GERM guide, published Sep. 2002 (part 1)
• PDA GERM guide Models, expected 2003 (part 3)

7
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

8
21CFR11, Overview

• Substantive rule from 20 August 1997
• Applies to any e-record in any FDA regulated work
  including legacy systems
• Criteria for e-records and e-signatures
• Trustworthy and reliable
• E-signatures hand-written signatures
• Minimum requirements / fraud prevention

9
Systems not Applications

• All definitions and clauses in 21 CFR 11 refer to
  systems
• Application is not mentioned
• IT part of the GXP environment.
• Do they know?

Application

Instructions, Manuals, etc.
-software
Platform
Equipment
- hardware
- system SW
Computer system
Controlled function
Computer based system
Working environment
COMPUTER RELATED SYSTEM
10
21 CFR Part 11, Basics

• Electronic records equivalent with paper records
• Storage, retrieval and copying in full retention
  period
• Submitting to FDA
• Protection of electronic records
• Security (physical and logical)
• Validation
• Audit trail (who did what, when including reason
  where req.)
• Permission to use of electronic signature
• Equivalent with handwritten signatures
• Name, date and meaning
• Linking of signature to record
• Unique for an individual

11
ORA, Compliance Policy Guide CPG 7153.17 (May
1999)

• Acknowledging not all older systems fully
  compliant by Aug 20, 1997
• firms must take steps to achieve full
  compliance
• Regulatory actions based on case by case
  evaluation
• FDA auditors should intensify their scrutiny of
  e-recs
• Calls for firms to
• have a reasonable timetable
• promptly modify any system not in compliance
• be able to demonstrate progress
• have procedural controls in place by now

12
FDA 21CFR11 inspection questions (source
21CFR11 Compliance Report, Vol.2, No. 4).

• Who is allowed to input data?
• Who is allowed to change data?
• How can you tell who entered the data?
• How do you know which data had been changed?
• When do you lock down the data input?
• Can you do the following actions? Show me some
  data, show me you can see the history of the
  data, show me you control the data life cycle.
• Is the system validated and are the requirements
  met?
• Can you show me the results of the validation
  activities?
• Does the validation include Pass/fail,
  signature, date/time stamp and objective
  evidence - screen prints or page printouts with a
  link to the direction that generated the
  output.?

13
Earlham College, Warning Letter

• In addition to the above listed violations, our
  Investigator noted that the laboratory is using
  an electronic record system for processing and
  storage of data from the atomic absorption and
  HPLC instruments that is
• not set up to control the security and data
  integrity in that the system is not password
  controlled,
• there is no systematic back-up provision, and
• there is no audit trail of the system
  capabilities.
• The system does not appear to be designed and
  controlled in compliance with the requirements of
  21 CFR, Part 11, Electronic Records.

14
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

15
EU

• Annex 11, Computerised Systems
• Personnel
• Validation
• System
• Descriptions and SOPs
• Change control and configuration management
• Records entry, storage, retrieval
• Audit trail
• Security and Disaster recovery
• etc.

16
PIC/S Draft Guidance

• Good Practices for Computerised Systems in
  regulated GXP environment
• Computer System Life cycle, incl.
• Electronic Records and Signatures
• Security, and
• Audit trail
• Checklists for Inspection
• Links ISO and IEEE standards, 21CFR11, APV
  guides, PDA Technical Reports together

17
Quote from PIC/S Guide

• 21. ELECTRONIC RECORDS AND ELECTRONIC SIGNATURES
• 21.1 EC Directive 91/356 sets out the legal
  requirements for EU GMP. The GMP obligations
  include a requirement to maintain a system of
  documentation, (Article 9). The main requirements
  in Article 9.1 are that documents are clear,
  legible and up to date, that the system of
  documentation makes it possible to trace the
  history of manufacture (and testing) of each
  batch and that the records are retained for the
  required time. Article 9.2 envisages that this
  documentation may be electronic, photographic or
  in the form of another data processing system,
  rather than written. The main requirements here
  being that the regulated user has validated the
  system by proving that the system is able to
  store the data for the required time, that the
  data is made readily available in legible form
  and that the data is protected against loss or
  damage.

18
Draft Proposal for a Commission Directive
(30.Apr.2002)

• Amending Commission Directive 91/356/EEC , Laying
  Down the Principles and Guidelines of Good
  Manufacturing Practice for Medicinal Products for
  Human Use
• "When electronic, photographic or other data
  processing systems are used instead of written
  documents, the manufacturer or importer shall
  have validated the systems by proving that the
  data will be appropriately stored during the
  anticipated period of storage. Data stored by
  these systems shall be made readily available in
  legible form and shall be provided on demand to
  the competent authorities. For an investigational
  medicinal product when electronic, photographic
  or other data processing systems are used instead
  of written documents the manufacturer or importer
  shall have validated the systems to maintain the
  data during the required period of storage. Data
  stored by these systems shall be readily
  available in legible form and shall be provided
  on demand to the competent authorities."

19
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

20
21CFR11 Compliance Project

• Purpose
• Assist the units/system owners to prioritise the
  activities necessary to get in compliance over a
  limited period of time.
• Scope
• All Computer Systems within Novo Nordisk that
• generate electronic records covered by regulatory
  requirements from FDA,
• including the systems that utilise Electronic
  Signatures

21
Overview of the 21CFR11 compliance project
Development
Product Supply
Staffs, Quality, RA and other
21CFR11 project
No. of systems today 868 (PS) 219 (Dev.)
65 (others) 1152 systems (..and more to come)
22
21CFR11 Compliance Project

• Tasks
• Secure cGxP for 21CFR11 at Novo Nordisk
• Maintain corporate policy and interpretations
• Responsible for project QAP reporting
• Participate in external groups as NN
  representatives
• Distribute knowledge to organisation through
• Training (short courses and Site specific)
• Knowledge and guidance database
• Project web page
• Guidelines

23
Guidance database -web-enabled
24
Activities in relation to Part 11

• Identify and register systems (overview)
• Prioritise systems
• Evaluate high-risk systems
• Evaluate medium- and low-risk systems
• Evaluate corrections/solutions
• Prepare implementation plan
• Quick fixes
• Full compliance, technical and procedural
• Implement solutions

25
Prioritisation of systems
Regulatory Risk

• GxP, support systems (20)

High risk
Medium risk

• Other GxP critical, systems (11)

Y
Low risk
Medium risk

• Non-GxP systems (17)

X
Factor, based on No. of records generated by the
system, no. of users, frequency of use and
system complexity
26
Gradual achievement of compliance
40
20
Phase 2
20
Phase 1
60
20
50
20
Phase 1 Implement Site and system
procedures Phase 2 Technology based solutions,
etc.
27
Deliverables from common workgroups

• Evaluation of the system (gap-analysis) for
  technical issues
• Evaluation of possible solutions
• Recommendations and other input from supplier(s)
• Recommended solutions, including
• Draft or example of procedures
• Description of technical solution
• Estimated costs
• Suggested implementation plan

28
Progress Follow Up
Example
On track
Ensure no further delay
Take action to catch up
29
Examples of Pilot projects in production area

• Kaye Validator
• SCADA (Fix32)
• Filter testing equipment (PALL)
• Instron (replacement for..)
• PE laboratory equipment (UV/VIS ..) incl.
  replacements for..)
• Usifroid freeze dryer
• BMS (building monitoring systems)
• ...more to come (due to standardisation)

30
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

31
What can go wrong, will ...

• HPCE (High Pressure Capillary Electrophoresis)
• Scenario Replacement of chromatography software
  to Millennium and setting up an archive
  installation
• 7 year old software
• HW requirements to PC
• Migration of ER from OS/2 to Win NT
• Indexation of migrated data
• ER on tape stored in safe
• Use of archive installation
• Training of users
• SOPs

32
Example for remediation

• A hardware solution
• Control power supply to individual physical
  entities in a PC including keyboard and mouse
• Solution is OS independent
• User access is controlled via Smart card
• User profiles supported by pin code on the ZignX
  keyboard.
• Logging of access attempts

Further information http//www.zignx.dk/
33
Contents

• 21CFR11 history
• The important aspects of 21CFR11
• Equivalent requirements in EU legislation
• The Novo Nordisk 21 CFR11 compliance project
• Examples
• Experiences learned

34
Conclusions

• Management commitment pivotal
• Expensive and complex
• Requires highly skilled project management
• Risk-based prioritisation
• FDA enforcement becomes tougher
• and EU is on its way (DRAFT PIC/S Guidance)
• Just do it..!

35
Problem areas

• Lack of knowledge in the organisation on
• Computer Validation
• 21 CFR Part 11
• Maintenance of computer systems
• Purchase of non-compliant systems are ongoing
• Part 11 compliant systems do not exist
• Administrative controls ( Company policies)
• Procedural controls ( Company SOPs)
• Technical controls ( Supplier SW controls)