new gamp good practice guide for electronic record and signature compliance arthur d. perez, ph.d....
Post on 16-Dec-2015
325 Views
Preview:
TRANSCRIPT
New GAMP Good Practice Guide for Electronic Record and Signature Compliance
Arthur D. Perez, Ph.D.
Chairman, GAMP Americas
June 11, 2004FDA Public Meeting Slide 2
Guiding Principles for New GPG Consistent approach to ERS management Manage risk by
• Defining minimal acceptable standards• Applying stronger measures only where warranted
Simplicity of Approach • Assessment must not be harder than applying maximum controls
Facilitate interpretation of predicate rule requirements Minimal impact on transition from old compliance programs to
new Encourage and facilitate new technologies that may involve
electronic records and/or signatures Consider and comply with international regulations
• Including USFDA, EU, PIC/S Guidance, Japanese MHLW
June 11, 2004FDA Public Meeting Slide 3
Key Concepts Scalability of assessment process based on record impact
• Direct Impact records have obvious and significant effect on public health
• Indirect Impact records that provide evidence of compliance but do not have obvious and significant effect on public health
• Non-impact records that have negligible or no effect on public health
Identify the potential hazards• Possible occurrences that could threaten a record
Power failure, security breach, virus, attempted fraud
Leverage GAMP’s classic three-components risk assessment• Degree of harm• Probability of fault• Detectability of fault
June 11, 2004FDA Public Meeting Slide 4
Probability
Sev
erity
Low
Moderate
High
Low
Mo
de
rate
Hig
h
PriorityPriority 11
Priority 3Priority 3
Priority 2Priority 2
Class 3Class 3
Class 2Class 2
Class 1Class 1
3
2
1
Hig
h
Mo
de
rate
Low
Ris
k C
lass
Detectability
GAMP 4 describes a simple two-step process Plot severity vs. probability to obtain risk class Plot risk class vs. detectability to obtain risk priority
Simple Risk Assessment
June 11, 2004FDA Public Meeting Slide 5
ISO 14971-Based Approach to Risk
Identify records & signatures
Carry out impact
assessment
Carry out risk
assessment
Provide controls
ControlMonitorReview
Identify Generic and Specific Hazards
Re
peat fo
r each
haza
rd
Identify Generic Hazards
Re
peat for e
ach electro
nic record typ
e
No Impact Indirect Impact Direct Impact
Select Generic ControlsSelect Good IT Practice
Assess Record Impact
Identify Records
Initiate Controls
Periodic Review and Evaluation
Ris
k A
naly
sis
(IS
O 1
497
1 te
rmin
olog
y)P
ost P
rodu
ctio
n In
form
atio
n(I
SO
14
971
)
Ris
k E
valu
atio
n(I
SO
149
71)
Ris
k C
ontr
ol
(IS
O 1
497
1)
Assess Likelihood
Assess Probability of Detection
Derive Risk Priority
Select Generic and Specific Controls
STEP 1
STEP 5
STEP 2
STEP 3
STEP 4
Identify Generic and Specific Hazards
Re
peat fo
r each
haza
rd
Identify Generic Hazards
Re
peat for e
ach electro
nic record typ
e
No Impact Indirect Impact Direct Impact
Select Generic ControlsSelect Good IT Practice
Assess Record Impact
Identify Records
Initiate Controls
Periodic Review and Evaluation
Assess Record Impact
Identify RecordsIdentify Records
Initiate ControlsInitiate Controls
Periodic Review and Evaluation
Periodic Review and Evaluation
Ris
k A
naly
sis
(IS
O 1
497
1 te
rmin
olog
y)P
ost P
rodu
ctio
n In
form
atio
n(I
SO
14
971
)
Ris
k E
valu
atio
n(I
SO
149
71)
Ris
k C
ontr
ol
(IS
O 1
497
1)
Assess Likelihood
Assess Probability of Detection
Derive Risk Priority
Select Generic and Specific Controls
STEP 1
STEP 5
STEP 2
STEP 3
STEP 4
Non-impact Direct impactIndirect impact
June 11, 2004FDA Public Meeting Slide 6
Controls Based on Risk and Impact
No Impact: Use “Good IT
Practices”
Increasing rigor ofcontrol required
Consider:Stricter controlsMore controlsMore frequent controlsAutomatic controlsIncreased internal audit
Severity
Risk
Effect on: Patient safetyProduct safetyCompliance
Potential for: Loss of recordCorruption of recordWrong record
Direct Impact:Use risk assessment to identify specific
controls & rigor
Indirect Impact:Use Generic
Checklist controls
June 11, 2004FDA Public Meeting Slide 7
Controls Based on Risk and Impact
Control No Impact“Good IT Practice”
Indirect ImpactFormal Processes for:
Direct Impact Formal processes for:
Access control
- Controlled access • authorization process• access management• password management• documentation
• rigorous authorization control• strict and proactive access
management• user profiles• unique accounts• stringent PW management• physical security• full documentation
Backup and Restore
• Checking of outcome
• Multiple copies (redundancy)
• Checking of outcome• Multiple copies
(redundancy)• Formal periodic testing• Documentation
• Checking of outcome• Multiple copies (redundancy)• Formal periodic testing• Full documentation • Remote storage locations• Automated processes
Rigor of Controls
June 11, 2004FDA Public Meeting Slide 8
Appendices
Validation Policy• Validation is an expected control
Audit Trails and Data Security• Level of control commensurate with risk/impact• Audit trails only where they make sense
Record retention• Format choice reflects actual business process• Format choices based on risk assessment• Optimal format may change as record ages
June 11, 2004FDA Public Meeting Slide 9
Appendices Copies of Records
• Useful access necessary for inspectors• Use of common portable formats
Legacy Systems• Document justification of classification as legacy
Guidelines for evaluating effect of upgrades
• Document that system satisfies predicate rule Predicate Rules Requiring Records or Signatures
• US (21 CFR 50, 54, 56, 58, 210, 211, 312, 314, 820)• EU• Japan
June 11, 2004FDA Public Meeting Slide 10
Appendices Sample Case Studies
• Spreadsheets• Packaging equipment• Clinical trial label manufacture• SCADA• HPLC• Chromatography Data System• Interactive Voice Response System (IVRS)• Adverse Event Reporting System• Batch record system
June 11, 2004FDA Public Meeting Slide 11
Appendices Forms for Indirect Impact Records
• For risk assessment and identification of controls
Risk Assessment for Direct Impact Electronic Records• Adapted from GAMP 4 Appendix M3• Includes roles and responsibilities
Form for Previously Assessed Part 11 Systems Glossary References
June 11, 2004FDA Public Meeting Slide 12
Summary
The New GAMP GPG for Electronic Record and Signature Compliance offers• A pragmatic approach to complying with record
requirements in electronic systems• A combination of record classification and risk
assessment that Places controls where they are needed Is not so ponderous that firms will find it easier to work
toward a single excessive standard
• Extensive examples of application of the process
top related