ABB Limited. Table of Content. Executive Summary

Similar documents
White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

Part 11 is Dead Long Live Part CFR 11, the Electronic Records and Electronic Signatures 21 CFR PART 11. Introduction

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Data Integrity and the FDA AFDO Education Conference

Comment sheet for MHRA draft document:

Part 11 Compliance SOP

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

Sparta Systems TrackWise Solution

Sparta Systems TrackWise Digital Solution

EUROPEAN MEDICINES AGENCY (EMA) CONSULTATION

Adobe Sign and 21 CFR Part 11

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

21 CFR PART 11 COMPLIANCE

Sparta Systems Stratas Solution

Introduction. So what is 21 CFR Part 11? Who Should Comply with 21CFR Part 11?

The Impact of 21 CFR Part 11 on Product Development

ChromQuest 5.0. Tools to Aid in 21 CFR Part 11 Compliance. Introduction. General Overview. General Considerations

ELECTRONIC RECORDS (EVIDENCE) ACT (No. 13 of 2014) ELECTRONIC RECORDS (EVIDENCE) REGULATIONS. (Published on, 2015) ARRANGEMENT OF REGULATIONS

Good Laboratory Practice GUIDELINES FOR THE ARCHIVING OF ELECTRONIC RAW DATA IN A GLP ENVIRONMENT. Release Date:

Compliance Matrix for 21 CFR Part 11: Electronic Records

NY DFS Cybersecurity Regulations August 8, 2017

REGULATION ASPECTS 21 CFR PART11. 57, av. Général de Croutte TOULOUSE (FRANCE) (0) Fax +33 (0)

ComplianceQuest Support of Compliance to FDA 21 CFR Part 11Requirements WHITE PAPER. ComplianceQuest In-Depth Analysis and Review

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

COMPLIANCE. associates VALIDATOR WHITE PAPER. Addressing 21 cfr Part 11

An Easy to Understand Guide 21 CFR Part 11

NEWCASTLE CLINICAL TRIALS UNIT STANDARD OPERATING PROCEDURES

PRIVACY POLICY OF THE WEB SITE

By Cornelia Wawretchek. The Drug Manufacturer s Guide to Site Master Files

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

Acceptance Checklist for Special 510(k)

NucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11)

Data Integrity: Technical controls that demonstrate trust

Standard Development Timeline

1. Document Control 2. Change Record Version Date Author(s) Comments 3. Reviewers Version Name Organisation 4. Distribution Version Date Name Status

TECHNICAL BULLETIN [ 1 / 13 ]

Industry Guidelines for Computerized Systems Validation (GAMP, PDA Technical Reports)

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

Current Expectations and Guidance, including Data Integrity and Compliance With CGMP

DATA PROTECTION POLICY THE HOLST GROUP

OFFICIAL COMMISSIONING OF SECURITY SYSTEMS AND INFRASTRUCTURE

PS Mailing Services Ltd Data Protection Policy May 2018

21 CFR Part 11 FAQ (Frequently Asked Questions)

MHRA GMP Data Integrity Definitions and Guidance for Industry March Introduction:

Rules for LNE Certification of Management Systems

Summary of PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments

Achieving 21 CFR Part11 Compliance using Exaquantum/Batch Authored by Stelex

Data Processing Clauses

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

Automation Change Management for Regulated Industries

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

21 CFR 11 Assistant Software. 21 CFR Part 11 Compliance Booklet

NSDA ANTI-SPAM POLICY

Legal basis of processing. Place MODE AND PLACE OF PROCESSING THE DATA

Contract Services Europe

ISO/IEC INTERNATIONAL STANDARD

NDIS Quality and Safeguards Commission. Incident Management System Guidance

Learning Management System - Privacy Policy

MHRA GMP Data Integrity Definitions and Guidance for Industry January Initial Review and Critique March 2015

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

DATA PROCESSING TERMS

Subject: Kier Group plc Data Protection Policy

AE On-Site Audit. Welcome to the AE On Site Audit training. Course #

ISO/IEC INTERNATIONAL STANDARD

Data Integrity and Worldwide Regulatory Guidance

FDA 21 CFR Part 11 Compliance by Metrohm Raman

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

This document is a preview generated by EVS

Standard CIP 007 3a Cyber Security Systems Security Management

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

The Role of the American National Standards Institute (ANSI) Irwin Silverstein, Ph.D. IPEA

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

testo Comfort Software CFR 4 Instruction manual

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

DATA PROCESSING IN ITALY. Ten Simple Practices to Improve Business

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Leveraging ALCOA+ Principles to Establish a Data Lifecycle Approach for the Validation and Remediation of Data Integrity. Bradford Allen Genentech

Building Consent Authority Complaint 2017/002 6 October 2017 Complaint against Auckland Council

In addition, below we offer our responses to the questions posed in the Federal Register Notice announcing the availability of the Draft Guidance:

Standard Development Timeline

EUIPO Ex-ante product quality audits (trademarks and designs) Prior Checking Opinion Case

The University of British Columbia Board of Governors

NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study

DATA INTEGRITY (EMA AUGUST 2016)

Compliance of Shimadzu Total Organic Carbon (TOC) Analyzer with FDA 21 CFR Part 11 Regulations on Electronic Records and Electronic Signatures

Standard CIP 004 3a Cyber Security Personnel and Training

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

-2-4. Application for certificate of production system standard under regulated criteria at certification bodies that registered with the Food and

TURKISH STANDARDS INSTITUTION

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

Data Protection Policy

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

Transcription:

21 CFR Part 11 Electronic Records; Electronic Signatures Guidance for Industry Scope of Application Position Paper: A Summary and Interpretation of the Guidance Note: This document has been prepared based on information released by FDA plus ABB s experience gained from working with a wide range of clients in the regulated industries. ABB cannot be held responsible for the accuracy of interpretation or implementation of the recommendations this document is issued purely as help for the industry. Throughout this paper specific references are made to the FDA guidance document [1], quoting line numbers from the document in superscript. Table of Content EXECUTIVE SUMMARY...1 BACKGROUND...2 SUMMARY OF GUIDANCE...2 STATUS OF GUIDANCE...3 GENERAL INTERPRETATION OF GUIDANCE...3 SPECIFIC COMMENTS...3 Definition of Electronic Records 158... 3 Definition of Electronic Signatures 191... 4 Legacy Systems 234... 4 Validation 11.10(a) 196... 4 Copies of Records 11.10(b) 242... 5 Record Retention 11.10(c) 263... 5 Audit Trail 11.10(e) 216... 5 SUMMARY OF RECOMMENDATIONS...6 REFERENCES...6 Executive Summary FDA issued on 20 February 2003 a significant draft guidance document on the scope and application of 21 CFR Part 11. This new guidance will allow industry to adopt a much more pragmatic approach to Part 11. In some cases the FDA will not enforce the rule or aspects of the rule, e.g. legacy systems in operation before 20 August 1997 will no longer be subject to Part 11 inspections. ABB has with this paper set out to provide a summary of the new guidance document, plus an interpretation of the restated requirements. A summary of recommendations is included, and industry can draw noteworthy benefits from implementing the guidance, without neglecting compliance with 21 CFR Part 11. ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 1 of 6

Background 21 CFR Part 11 (henceforth referred to as Part 11 or the rule ) has become one of the most significant pieces of recent FDA regulation. At the same time it is the regulation that has attracted the most criticism and caused immense confusion and costs for industry. Increasingly the cost of complying with Part 11 has outstripped any risk reduction to public health. In August 2002 FDA announced a risk based approach to enforcement of cgmp, and specifically included Part 11 in this new initiative. The Agency has also taken industry complaints to heart, as evidence has mounted on the difficulties in complying with the letter of the law. Accordingly, on 20 February 2003 FDA issued new draft guidance to industry on the scope and application of Part 11. ABB has with this paper set out to provide a summary of the new guidance document, plus an interpretation of the restated requirements, as well as a set of recommended actions to follow. ABB welcomes any comments on this paper, which can be directed to the person at the end of the document. This document is copyright protected, and may not be copied or distributed without the written consent of ABB. Summary of Guidance In summary the guidance provides for: Reinforce the enforcement of predicate rules (Parts 58, 211, 820, etc.) Promote a risk based approach to GMP. As part of developing this approach, Part 11 will be re-examined, which may result in changes to the rule. Whilst this review takes place, the following guidance will apply: The definition of electronic records and signatures that fall under Part 11 has been clarified and in many cases narrowed. Enforcement discretion will be exercised, particularly in the following areas: o Legacy systems o Validation o Record copying o Record retention o Audit trail The remaining sections of Part 11 will continue to be fully enforced as per the rule wording. In addition the Agency announces that: Already issued guidance to industry documents are withdrawn (all in draft and covering glossary of terms, validation, time stamps, maintenance of records and electronic copies of electronic records). The compliance policy guide CPG 7153.17 enforcement policy is withdrawn. The details of the guidance are discussed in the following sections. ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 2 of 6

Status of Guidance This guidance has been labelled as draft not for implementation, and comments can be forwarded to the FDA until 20 April 2003. This rationale has been emphasised by the introductory statement that agency guidance, including this document, should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. 46 Later, however, it is stated that this guidance has been issued to describe how we intend to exercise enforcement discretion with regard to certain Part 11 requirements during re-examination of Part 11 106. This would suggest that this draft guidance contains important information and announcements, which industry can and should act on immediately. Even though a re-examination of the Part 11 regulation itself is referred to, it is not likely that the approach taken by the FDA will dramatically change further. General Interpretation of Guidance The guidance represents a major shift in FDA approach and enforcement policy. The original purpose, as requested by industry, was to define the conditions under which electronic records and signatures would be acceptable to the FDA. This in turn would enable the gainful employment of fully electronic systems in drug development and manufacture. The stated purpose of the guidance is to make Part 11 more pragmatic and manageable, and to remove the majority of instances of misguided cases of interpretation. 81 In particular, enforcement of specific clauses of the rule became paramount and almost disconnected from the intent of those clauses, i.e. a reduction in the risk to public health. The draft guidance does enable a much more pragmatic approach to Part 11, which should result in fewer non-compliances, and hopefully promote the use of the provisions that Part 11 provide. It is important to realise, however, that the guidance does not go the whole way towards a pragmatic risk based approach. Clauses of Part 11 that are not specifically mentioned in the guidance are not subject to enforcement discretion. 125 This includes access controls 11.10(d)(g), operational checks 11.10(f), device checks 11.10(h), competence checks 11.10(i), documentation controls 11.10(k), open systems 11.30, and all clauses related to handwritten and electronic signatures 11.50, 11.70, 11.100, 11.200, 11.300. 126 It is true that these clauses have caused less concern to industry, but a pragmatic risk based approach is still beneficial in these cases. In addition, this guidance, while clearly narrowing and better defining the scope of Part 11, is still open to interpretation, even in such fundamental areas as to what constitutes an electronic record. Specific Comments Definition of Electronic Records 158 The definition of a Part 11 electronic record has been clarified to state that the rule applies to: Regulated records that are maintained in electronic format in place of paper format. 163 Regulated records that are maintained in electronic and paper format, where the electronic format is used for regulated activities. 168 Regulated records are those documents / records that are identified by the applicable predicate rules (Parts 58, 211, 820, etc.) and need to be maintained. Regulated activities are those actions identified in the predicate rules. ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 3 of 6

Paper records that are generated by computers, that are merely incidental to the record generation process, do not fall under the rule 154. This definition is helpful, and does not differ from ABB practice. An example is a word processor that is used for the generation of a submission. This is then presented to the FDA and maintained in paper format, and the computer-generated data is not used for any other regulated activities. In this case Part 11 does not apply. 151 Should the same records be distributed electronically for regulatory purposes, e.g. as an SOP, then Part 11 does apply because you are now relying on the integrity of the electronic record. 171 It may not always be easy to determine the exact records required under predicate rules (regulated records). Predicate rules do not necessarily reflect current practice, e.g. Part 211 defines GMP not cgmp, and additional guidance may need to be consulted, such as FDA Guidance on General Principles of Software Validation [2], the GAMP guide [3] and ISPE Baseline guides [4]. Note that it is still the case that electronic records that are submitted in addition to those identified in regulations, also potentially fall under the Part 11 regulation. 184 The guidance recommends that each predicate record is defined as either paper record or electronic record (and hence within scope of Part 11), and that this is documented in an SOP. 179 is industry practice to identify all relevant electronic records as part of system assessment. It is also ABB s practice to define the electronic records in the system description or user SOP or similar document. Definition of Electronic Signatures 191 The definition of a Part 11 electronic signature is limited to those instances where an electronic signature is used to replace a signature or initial identified in the predicate rules. This is interpreted to include those instances that state verified in the predicate rules. Electronic signatures that are not identified in the predicate rules do not fall under Part 11. It should be noted, however, that the security and use of any such signature could be questioned under the predicate rules. Legacy Systems 234 Enforcement of Part 11 will be limited to systems that have been put into operation after 20 August 1997. The applicable predicate rules, however, still apply to all systems used for regulated work, and the guidance states specifically that all systems must be fit for purpose. ABB would support this revision in policy, as many of the Part 11 requirements have proved difficult to implement for these older systems, so the main impact of this exemption is to enable companies to retain the systems as long as they are safe and trustworthy. In a few years time most of these systems are likely to be replaced as part of the scheduled capital spend. Note that the exemption only applies to systems more than 6 years old, so that many current systems will still be within the scope of Part 11. Also, note that no exemption is applied to any system using electronic signatures, since legally these could not be employed before 20 March 1997. Validation 11.10(a) 196 The validation requirements shall be determined by the predicate rules, other existing FDA guidance (in particular General Principles of Software Validation [2]), GAMP 4 [3], and risk assessment (risk to product quality, product safety and record integrity). The level of validation should be commensurate with the size, complexity, criticality, standardisation and quality of the computer system. This is consistent with ABB practice and current best industry practice. It ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 4 of 6

Copies of Records 11.10(b) 242 The requirement to be able to provide electronic and readable copies of all electronic records has been reduced to giving the inspector reasonable and useful access to records, using standard system functions or commonly available tools / software / functions, as long as these are feasible to use. PDF is promoted as an acceptable format (because it can be universally read and searched), with the proviso that content, meaning and search / sort / trend functionality are preserved where possible. This wording gives companies ample leeway to comply with 11.10(b). There is no mention of validating the copying procedure or the need to maintain all configuration and meta data. Configuration and meta data are not addressed by the guidance, and it is often difficult to obtain copies of these. The guidance recommends, however, that you ensure that the content and meaning of the record are preserved in the copying process. 256 ABB recommends that companies document which records can be copied, and to what format the copying is done. Where copying cannot be done electronically, using readily available methods, paper copies may be generated and verified. These instances should be justified by a credible rationale. Record Retention 11.10(c) 263 The predicate rules determine what records need to be retained and for how long. It is no longer necessary to retain all electronic records and all record components, such as configuration and meta data, as long as the predicate rule requirements are met. This is an important concession, as comprehensive electronic record retention (as previously interpreted by FDA) over the lifespan of a record may be difficult to attain. The new guidance specifically states that the FDA will not normally object to the archiving of electronic records onto microfilm, microfiche or paper. 275 This reflects current best industry practice. The guidance states that which records are to be kept should be justified. 271 Stored records must retain their content, meaning and context. Hybrid records, i.e. a mixture of paper and electronic components, are specifically allowed in the new guidance, something that represents current industry practice. Audit Trail 11.10(e) 216 The need for an audit trail is now to be determined by the predicate rules, other existing FDA guidance (in particular General Principles of Software Validation [2]), GAMP 4 [3], and risk assessment (risk to product quality, product safety and record integrity). This is consistent with ABB practice, but constitute a material change from what industry in general has been attempting to do. The guidance recognises that an audit trail is only one way of reducing risk and ensuring record integrity. Alternatives are access controls (physical, logical), procedural controls, security and back-up of records. Note that manual audit trails are not mentioned as a substitute to automated electronic ones. It has long been ABB policy that these are not credible alternatives for detecting unauthorised changes. On the other hand, manual controls for authorised changes, i.e. change control, can often be appropriate. ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 5 of 6

Summary of Recommendations Based on ABB s interpretation of the draft guidance and our experience from working with all aspects of the rule, our recommendations to industry are as follows: Companies must still comply with Part 11, which remains the law. What the FDA is now classing as enforcement discretion will only apply to some aspects of the rule. Part 11 rectification programmes should not therefore be terminated. Companies should take advantage of the fact that the guidance enables a much more pragmatic approach to be adopted. A risk based approach to Part 11, and computer system validation in general, should be implemented. Companies should continue to pay attention to the use and control of computer systems. The vast majority of 483 observations, which are issued with relation to computer systems, do not reference Part 11. The guidance enforces the stringent adherence to predicate rules. Companies now have the opportunity to focus their remediation spend on the more critical systems. The above approach will enable cost savings to be made, without increasing the risk to public health or the inspection risk. References 1. Guidance for Industry, Part 11, Electronic Records; Electronic Signatures Scope and Application (US FDA; 20 Feb 2003) 2. Guidance for Industry and FDA Staff; General principles of Software Validation (US FDA; 11 Jan 2002) 3. GAMP v4 Guide for Validation of Automated Systems (ISPE; Dec 2001) 4. Baseline Guides; various volumes and editions (ISPE) Per Olsson / ABB / per.olsson@gb.abb.com ABB Life Sciences 2003 Unauthorised copying or use prohibited Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback