fda data integrity: misconceptions of 21 cfr part 11

Combat the Misconceptions of 21 CFR Part 11

EduQuest EDUcation: QUality Engineering, Science, & Technology

Global team of FDA compliance experts based near Washington, DC

Founded by former senior officials from FDA’s Office of Regulatory Affairs (ORA) Headquarters

Advising pharmaceutical, biologics, and medical device companies worldwide since 1995

Focus on Audits and Training for Part 11, Validation, Quality Systems, Risk Management, Inspection Readiness

22 years with U.S. FDA

Special Assistant to Associate Commissioner of Regulatory Affairs

Co-Author of 21 CFR Part 11

FDA expert field investigator, inspecting facilities worldwide

Former chair of U.S. ISO 9000 committee

Helped to develop QSR for Medical Devices

Chair of EduQuest live training courses (www.EduQuest.net)

.

3

http://www.EduQuest.net/

Evolution of Part 11 and Why It’s Back in the News

Overview and Key Requirements of Part 11

How FDA Inspects Computerized Systems

4 © 2016 EduQuest, Inc.

Over 20 years since the beginning of the process – • Part 11 still doesn’t meet FDA’s or the industry’s

objectives

• We’re still talking past one another

Remember the context of FDA’s pre-existing focus on software and computerized systems


FDA did not issue Part 11 on its own initiative

• The pharmaceutical industry asked FDA for rules to

deal with electronic submissions and recordkeeping

• Classic example of “be careful what you ask for”


Agency officials who understood computer systems and software engineering knew that Part 11 wasn’t necessary for FDA to do its job • The vast majority of the Part 11 requirements already

existed under the “predicate rules”

• Remember – FDA has enforced its expectations for computerized systems since the late 1970s


Several key missteps • FDA did not fully understand the state of industry

practice at the time

• Used terminology that didn’t help

The title of the regulation itself

The use of the term “audit trail”


• Several years of unclear, shifting, unscientific, and virtually useless guidance The one remaining guidance document (on the

Scope and Application of Part 11) wasn’t very

effective in clarifying what the regulated industries

were struggling with


Overstated the nature and impact of “enforcement discretion”

Left a lot of open and unanswered questions • FDA’s expectations for a “justified and

documented risk assessment”

• Whether very many legacy systems can actually meet the stated criteria for avoiding Part 11


Positions with no rational science behind them • For example, using only printed paper records to

make regulatory decisions

Failed to provide needed clarity • For example, that medical device quality and

production related systems must be validated (there is no leeway for the device industry)


It’s simple – Part 11 is back in the news because FDA: • Continues to see significant problems with data

integrity (including outright fraud)

• Does not trust what it’s seeing and what the pharmaceutical industry is saying about its impact

• Wants to return back to the original intent and objectives


CDER announced this initiative in May 2010 • To “evaluate the current pharmaceutical industry

understanding of, and compliance with, 21 CFR

Part 11” and “where industry may not be

complying with, or understand, the enforcement

approach as stated in the guidance”


Some of the possible outcomes include –

• Maintaining the “status quo, plus publishing

additional guidance”

• “Amending the existing Part 11 regulation and/or

preamble”


Some of the possible outcomes include –

• “Proposing new wording / language to existing

CPGs and CPMGs that contain outdated

interpretations of Part 11 requirements”

• “Revoking” or “amending” the current Scope

and Application guidance


Officials within CDER “have become aware of serious problems with recordkeeping, especially electronic, and are interested in looking at the industry to determine what steps need to be taken to reestablish compliance”

The “intent is the same one we had in FDA before we published the Advance Notice of Proposed Rulemaking” (in 1992)


FDA’s original intent in defining and drafting Part 11 was based on a set of straightforward and simple objectives –

• To encourage and facilitate the adoption of technological

improvements without a loss in data integrity

• To provide for no less integrity of electronic data and

electronic signatures than for paper-based data and signatures

• To accomplish the above within the existing regulatory

framework


FDA did not want to “reinvent the wheel” and chose to • Rely on existing FDA recordkeeping regulations • Draw from industries experienced in dealing with

electronic data integrity (e.g., the financial, banking, and legal industries)

• Apply “common sense” (often referred to as a “risk-based” approach)


1) Data integrity (the primary basis for all of the requirements);

2) The quality and reliability of software and computerized systems, in accordance with their intended uses; and

3) An appropriate degree of contemporaneously-developed objective evidence that supports and demonstrates that the first two objectives have been met


Compliance with basic, well-established good software and systems engineering practice • Been around for decades (very little has changed)

• Will get you 99% of the way there

• FDA didn’t create a lot of additional requirements

Exceptions – FDA does expect a written and approved validation plan and validation report


“GxP” (Good X Practices)

• cGMP, GMP, QSR, GCP, GLP, GTP, ER/ES

• “Predicate Rules”

• 21 CFR Part Everything Else!


What is it?

• FDA’s regulation for the use of electronic records and electronic signatures

• Sets forth the rules for acceptability and use of electronic records and signatures in lieu of “paper” records and “handwritten” signatures


What does 21 CFR Part 11 apply to? • Any record required by FDA which you create, modify,

maintain, archive, retrieve, or transmit in electronic form

• Any record you submit to FDA in electronic form (required or not)

Note – Part 11 does not supersede any other regulations


Part 11 does not create any new record or signature requirements

Use of electronic records as well as their submission to FDA is voluntary (except for drug labeling and many more instances that are being developed)

The agency can and does use regulatory discretion in enforcement (this is not a new concept or approach)


Software and system validation

Data change documentation and control (audit trails)

System security

Electronic signature security

Code and password security and maintenance

Biometric / non-biometric signature requirements


Record retention and protection

Operational checks

Authority checks

Device checks

Document control (including system deliverables)

Additional necessary controls for “open” systems


Electronic signature requirements • Printed name display

• Date and time of signature

• Signature meaning

• Signature linking

• Uniqueness

• Identity verification, being established or certified


Independently computer generated

All changes which create, modify, or delete data

Date and time stamped

Identifies who made the change

Must not obscure previous data

Retention for full period defined by the predicate rules

Available for inspection, copying, and review


The system must assure that only authorized users qualified by documented training and approval can − • Use the system

• Access the operations

• Electronically sign a record

• Alter a record

• Access input and output devices


Biometric –

• Based on unique physical attributes (fingerprints, retinal scan, voice prints, face recognition, etc.)

Non-Biometric –

• At least two methods of identification (typically user ID and password)


For multiple signings during a “continuous” session

• If not biometric, both components of the signature

must be entered on the first signing

• For subsequent signings during the same continuous

session, only one component is required


Part 11 remains in force with one applicable guidance document (guidance on Part 11 Scope and Application)

FDA is exercising enforcement discretion while further evaluating Part 11 for potential changes

FDA has established internal good guidance practices


FDA inspections monitor for compliance with Part 11 just as they monitor for proper record keeping in accordance with other FDA regulations


Outlines FDA’s thinking in five specific areas – • Validation, audit trails, legacy systems, copies of

records, and record retention

Repeated emphasis on the predicate rules

Decisions must be formally justified and documented • FDA expects a risk-based approach using a risk (or

hazard control) methodology


An established development process or

methodology

A written and approved validation plan

Documented requirements

Documented functional specifications

Documented design specifications


Documented testing protocols and evidence of reviews of objective test results

Documented evidence of installation protocols and evidence of test results and review

A written and approved validation report

Complete, documented traceability (from requirements to testing)


Documentation of responsible approvals

A defined maintenance / change control process / methodology including risk analysis

Documentation of changes / change impact and risk assessment / periodic monitoring

An effective vendor management process

System security


Management doesn’t fully understand the –

• Nature and extent of the regulatory requirements

• Fundamental components of basic good software and systems engineering practice and how they are directly related to real business benefits

• Magnitude of the work and resources needed to bring hundreds or thousands of systems into compliance


Lack of full and consistent understanding of the – • Scope of what’s required by the “predicate rules”

(including the logical extensions and the interpreted and/or enforced meaning of the requirements)

• Logical and scientific bases for some of the key requirements (such as validation) – continues to drive some companies’ resistance to adopt practices that will routinely meet those requirements


Thinking that Part 11 is a quality issue

Focusing on a software package rather than the system as a whole

Lack of management support (resources, time)

Not doing anything for a non-validated system that is “going to be replaced”

Failure to plan for and address “meta data”


Vendor certification is all that is needed for COTS (commercial-off-the-shelf) software

Part 11 is primarily focused on electronic signatures

Manual audit trails are acceptable

If I print and sign, I can delete the electronic record

FDA will collect copies of many electronic records


http://bit.ly/EduQuestQAsignup

FDA Compliance Training Classes available from EduQuest:

FDA Auditing of Computerized Systems and Part 11/Annex 11, Oct. 31-Nov. 2, 2016 (FDA’s expectations for data integrity. Includes 3 mock FDA audits of real-world computer systems.)

The CAPA Clinic: CAPA Systems, Failure Investigations & Complaint Management, Nov. 3-4, 2016 (Improving your CAPA system through better data collection, management reporting, trending, and root cause analysis)

QSR Compliance Basics, September 26-27, 2016 (Fully understand your company’s obligations for Quality Systems under 21 CFR 820)

Design Control for Medical Devices, September 28-29, 2016 (How FDA expects you to develop, implement, and manage design controls) All offered publicly or as on-site, on-demand classes -- when and where you need them.

Details at www.EduQuest.net , or Email: [email protected]

http://www.eduquest.net/



mailto:[email protected]


fda data integrity: misconceptions of 21 cfr part 11

Healthcare